Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Activities. Any user can get the resource's activities using the file-id #9860

Closed
prashant-gurung899 opened this issue Aug 20, 2024 · 2 comments · Fixed by #10092
Closed

Activities. Any user can get the resource's activities using the file-id #9860

prashant-gurung899 opened this issue Aug 20, 2024 · 2 comments · Fixed by #10092
Labels
Priority:p1-urgent Consider a hotfix release with only that fix Type:Bug

Comments

@prashant-gurung899
Copy link
Contributor

Similar to: #9849

Steps to reproduce

  1. create a folder as alice user

  2. as alice, create some files and perform some actions (edit/delete) in folder

  3. as demo user, check the folder activities using resource(folder) id with cURL request:

    curl 'https://localhost:9200/graph/v1beta1/extensions/org.libregraph/activities?kql=itemid%3A{folder-fileid}' \
-udemo:demo -vk | jq

    {"value": [
  {
   ... # activities
  }
]}

Expected behavior

Expected not to get the list of activities when requested by random user.

Actual behavior

Gets the list of all the activities in the folder.
@saw-jan saw-jan mentioned this issue Aug 20, 2024
Open
32 tasks
This was referenced Sep 12, 2024
Merged
Merged
@ScharfViktor
Copy link
Contributor

I prioritized as prio2 because IMHO it's the security hole

@ScharfViktor
Copy link
Contributor

ScharfViktor commented Sep 18, 2024
edited
Loading

Steps:

  • admin shares folder f1 to einstein
  • einstein opens folder f1 in the Shares -> copy spaceId from Propfind response body
  • put spaceuuid to
curl 'https://localhost:9200/graph/v1beta1/extensions/org.libregraph/activities?kql=itemid%3A{spaceUUId}' \
-ueinstein:relativity -vk | jq

expected: 403 error

Actual: einstein can see all action of the admin personal space 🤯

@ScharfViktor ScharfViktor added the Priority:p1-urgent Consider a hotfix release with only that fix label Sep 18, 2024
@kobergj kobergj mentioned this issue Sep 18, 2024
Merged
@prashant-gurung899 prashant-gurung899 mentioned this issue Sep 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority:p1-urgent Consider a hotfix release with only that fix Type:Bug
Projects
Infinite Scale Team Board
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix unauthorized activity get kobergj/ocis
2 participants
@prashant-gurung899 @ScharfViktor