-
Notifications
You must be signed in to change notification settings - Fork 73
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test: add test confirming fix for GHSA-hf59-7rwq-785m
docs: illustrate where the fix occurred in the changelog
- Loading branch information
1 parent
48a8029
commit 802d5b2
Showing
4 changed files
with
94 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
27 changes: 27 additions & 0 deletions
27
test/cve/empty_atomic_non_bulk_actions_policy_bypass_test.exs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
defmodule AshPostgres.EmptyAtomicNonBulkActionsPolicyBypassTest do | ||
@moduledoc """ | ||
This is test verifies the fix for the following CVE: | ||
https://github.com/ash-project/ash_postgres/security/advisories/GHSA-hf59-7rwq-785m | ||
""" | ||
use AshPostgres.RepoCase, async: false | ||
|
||
alias AshPostgres.Test.PostWithEmptyUpdate | ||
|
||
require Ash.Query | ||
|
||
test "a forbidden error is appropriately raised on atomic upgraded, empty, non-bulk actions" do | ||
post = | ||
PostWithEmptyUpdate | ||
|> Ash.Changeset.for_create(:create, %{}) | ||
|> Ash.create!() | ||
|
||
Logger.configure(level: :debug) | ||
|
||
assert_raise Ash.Error.Forbidden, fn -> | ||
post | ||
|> Ash.Changeset.for_update(:empty_update, %{}, authorize?: true) | ||
|> Ash.update!() | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
defmodule AshPostgres.Test.PostWithEmptyUpdate do | ||
@moduledoc false | ||
use Ash.Resource, | ||
domain: AshPostgres.Test.Domain, | ||
data_layer: AshPostgres.DataLayer, | ||
authorizers: [ | ||
Ash.Policy.Authorizer | ||
] | ||
|
||
require Ash.Sort | ||
|
||
policies do | ||
policy action(:empty_update) do | ||
# force visiting the database | ||
authorize_if(expr(fragment("TRUE = FALSE"))) | ||
end | ||
end | ||
|
||
postgres do | ||
table("posts") | ||
repo(AshPostgres.TestRepo) | ||
migrate? false | ||
end | ||
|
||
actions do | ||
defaults([:create, :read]) | ||
|
||
update :empty_update do | ||
accept([]) | ||
end | ||
end | ||
|
||
attributes do | ||
uuid_primary_key(:id, writable?: true) | ||
|
||
attribute(:title, :string) do | ||
public?(true) | ||
source(:title_column) | ||
end | ||
end | ||
end |