How to check the relationship between requested object with session token object? #1420
Labels
bug
Something isn't working
I4
No visible changes
neofs-storage
Storage node application issues
S2
Regular significance
U3
Regular
Comments
cthulhu-rider
added
bug
|
Discussed with @realloc @fyrchik @carpawell 2nd looks attractive. We need to make object list in object session context With this approach we will tighten authorization and access control of generated requests. |
|
From the service side, the cost of 2nd option is to have one/two extra requests. Is it possible to take advantage of nspcc-dev/neofs-api#220 in trusted environment and avoid setting object.IDs? To issue session token we need to find all children, if they exist. Probably the fastest way is to find linking object and get info from there. It will be nice to have search filter to that. Another option is to get |
cthulhu-rider
pushed a commit
to cthulhu-rider/neofs-node
that referenced
this issue
Sep 16, 2022
…uest In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks Signed-off-by: Leonard Lyubich <[email protected]>
cthulhu-rider
pushed a commit
to cthulhu-rider/neofs-node
that referenced
this issue
Sep 16, 2022
…uest In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks. Disclosed problem of object context inheritance will be solved within nspcc-dev#1420. Signed-off-by: Leonard Lyubich <[email protected]>
cthulhu-rider
pushed a commit
to cthulhu-rider/neofs-node
that referenced
this issue
Sep 16, 2022
…uest In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks. Disclosed problem of object context inheritance will be solved within nspcc-dev#1420. Signed-off-by: Leonard Lyubich <[email protected]>
cthulhu-rider
pushed a commit
to cthulhu-rider/neofs-node
that referenced
this issue
Oct 4, 2022
…uest In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks. Disclosed problem of object context inheritance will be solved within Signed-off-by: Leonard Lyubich <[email protected]> Signed-off-by: Leonard Lyubich <[email protected]>
cthulhu-rider
pushed a commit
to cthulhu-rider/neofs-node
that referenced
this issue
Oct 4, 2022
…uest In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks. Disclosed problem of object context inheritance will be solved within Signed-off-by: Leonard Lyubich <[email protected]>
cthulhu-rider
pushed a commit
to cthulhu-rider/neofs-node
that referenced
this issue
Oct 5, 2022
…uest In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks. Disclosed problem of object context inheritance will be solved within Signed-off-by: Leonard Lyubich <[email protected]>
cthulhu-rider
pushed a commit
to cthulhu-rider/neofs-node
that referenced
this issue
Oct 6, 2022
…uest In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks. Disclosed problem of object context inheritance will be solved within Signed-off-by: Leonard Lyubich <[email protected]>
aprasolova
pushed a commit
to aprasolova/neofs-node
that referenced
this issue
Oct 19, 2022
…uest In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks. Disclosed problem of object context inheritance will be solved within Signed-off-by: Leonard Lyubich <[email protected]>
roman-khimov
added
S2
|
Related to #2667. |
|
I think this is solved now. @cthulhu-rider? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In current implementation ACL service uses object ID from session token context for access control. As I remember, this was done in order to grant access to parties which assemble the object (request generation). However, storage node does not check the relationship between the object from the token and the explicitly requested object. This gives rise to potential access control violations in the system when a token issued to another object is used to obtain an object.
I propose to discuss possible approaches to fix this problem. Here are some solutions from my mind:
The text was updated successfully, but these errors were encountered: