kolibri icon indicating copy to clipboard operation
kolibri copied to clipboard

Published 20 hours ago verified publisher icon learningequality

[Security] Tighten permissions for APIs that return files

Open vkWeb opened this issue 3 years ago • 0 comments

Observed behavior

The current behavior of downloadcsvfile API allows anonymous users to download the csv file. For example: https://kolibri-demo.learningequality.org/facility/api/downloadcsvfile/tmp11wsss.download/a3f606630690237bbe94fe2a1a850af4.

After discussing this issue with @rtibbles we came to the conclusion that we should be tightening these specific API endpoints permissions.

Expected behavior

Anonymous users must not be allowed to download files like these.

User-facing consequences

A major privacy issue for large organizations.

Steps to reproduce

  1. Login as a superuser.
  2. Fire up exportuserstocsv task.
  3. From the GET /api/tasks/tasks/ note down the facility_id and filename.
  4. Log out. Now we are anonymous.
  5. Build up the URL in expected format i.e. <base_url>/facility/api/downloadcsvfile/<filename>/<facility_id>.
  6. Visit the URL.

Context

  • Kolibri version: https://kolibri-demo.learningequality.org
  • Operating system: Ubuntu 20.04
  • Browser: Chrome 91.0.4472.164 (Official Build) (64-bit)

vkWeb avatar Aug 02 '21 16:08 vkWeb