cf-abacus icon indicating copy to clipboard operation
cf-abacus copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry-attic

Authorization check performed after reading the document

Open stoyanr opened this issue 8 years ago • 3 comments

Currently, in order to perform authorization checks, the relevant document is first read from the database, and only then the passed OAuth scopes are compared to the required OAuth scopes. This is because in order to build the required scopes a resource_id is needed, but it is usually not part of the request, but part of the document.

This is not ok, as one could try a DOS attack against Abacus using an invalid token. Instead, it should be possible to retrieve the resource_id from the account plugin (there it's usually cached), perform the authorization check, and only if successful proceed with retrieving the document.

stoyanr avatar Feb 20 '17 11:02 stoyanr

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/140227121

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Feb 20 '17 11:02 cf-gitbot

We have the same pattern in dataflow: https://github.com/cloudfoundry-incubator/cf-abacus/blob/master/lib/utils/dataflow/src/index.js#L672-L681

hsiliev avatar Mar 15 '17 19:03 hsiliev

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/141805991

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Mar 15 '17 19:03 cf-gitbot