pad.pub0.org

Commit Graph

Author	SHA1	Message	Date
Richard Hansen	b80a37173e	security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.	2020-09-15 21:40:25 +01:00
Richard Hansen	9e6d3f3f63	tests: Add authentication, authorization bypass tests	2020-09-15 20:03:30 +01:00

Author

SHA1

Message

Date

Richard Hansen

b80a37173e

security: Fix authorization bypass vulnerability

Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.

2020-09-15 21:40:25 +01:00

Richard Hansen

9e6d3f3f63

tests: Add authentication, authorization bypass tests

2020-09-15 20:03:30 +01:00

2 Commits (b80a37173efe592c07c89e2e16a7fe6602441ed5)