node-casbin icon indicating copy to clipboard operation
node-casbin copied to clipboard

Published 20 hours ago verified publisher icon casbin

escapeAssertion does not respect string literals

Open kevinresol opened this issue 1 year ago • 3 comments

Currently escapeAssertion does a rather brutal regex replace operation to convert r.*/p.* into r_*/p_* respectively. However it does not consider the case where the expression could contain a string literal. So if you have a rule that have some sort of string literal like p.obj == "r.something" it will fail in a very subtle manner.

const { newEnforcer, newModel } = require("casbin");

const MY_RESOURCE_NAME = "r.my_resource"; // change this to e.g. "a.my_resource" and it will work

(async function () {
  const model = newModel();
  model.addDef("r", "r", "act, obj");
  model.addDef("p", "p", "act, obj, rule");
  model.addDef("e", "e", "some(where (p.eft == allow))");
  model.addDef("m", "m", "r.act == p.act && r.obj == p.obj && eval(p.rule)");

  const enforcer = await newEnforcer(model);
  enforcer.addPolicy(
    "alice",
    MY_RESOURCE_NAME,
    `p.obj == "${MY_RESOURCE_NAME}"`
  );

  // does not work because internally it becomes `p_obj == "r_my_resource"`
  console.log(await enforcer.enforce("alice", MY_RESOURCE_NAME));
})();

kevinresol avatar Apr 11 '24 02:04 kevinresol

@nodece @Shivansh-yadav13

casbin-bot avatar Apr 11 '24 02:04 casbin-bot

@kevinresol can you see that if Go Casbin has already fixed this?

hsluoyz avatar Apr 11 '24 05:04 hsluoyz

Not a golang speaker but apparently the implementation is identical there: https://github.com/casbin/casbin/blob/64efe3d122bfe68c9cf68e1bd174173a61f11743/util/util.go#L39

kevinresol avatar Apr 12 '24 04:04 kevinresol