[
https://issues.apache.org/jira/browse/OAK-4301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15406132#comment-15406132
]
angela edited comment on OAK-4301 at 8/4/16 1:42 PM:
-----------------------------------------------------
Proposed patch including tests and documentation update.
[~tripod], maybe you want to take a closer look at this? the fix includes a
configuration option that turns on protection of rep:externalId by default. as
stated above using a dedicated mixin type was not feasible without major
rewrite of the whole module and i decided to just impose the protection using
the {{ExternalIdentityValidatorProvider}}.
With this enabled:
- writing {{rep:externalId}} is limited to the system session with 1 single
exception (i.e. adding user/group + external id) to keep the xml-import of
external users working. [~tripod] if you have the impression that this was not
needed, we could prevent writing altogether.
- {{rep:externalId}} must be of type STRING and single valued
- {{rep:externalId}} must be unique
- the restrictions imposed by {{rep:externalPrincipalNames}} remains unchanged
The following actions are still possible with sufficient permissions:
- create external users
- remove external users
was (Author: anchela):
Proposed patch including tests and documentation update.
[~tripod], maybe you want to take a closer look at this? the fix includes a
configuration option that turns on protection of rep:externalId by default. as
stated above using a dedicated mixin type was not feasible without major
rewrite of the whole module and i decided to just impose the protection using
the {{ExternalIdentityValidatorProvider}}.
With this enabled:
- writing {{rep:externalId}} is limited to the system session with 1 single
exception (i.e. adding user/group + external id) to keep the xml-import of
external users working. [~tripod] if you have the impression that this was not
needed, we could prevent writing altogether.
- {{rep:externalId}} must be of type STRING and single valued
- {{rep:externalId}} must be unique
- the restrictions imposed by {{rep:externalPrincipalNames}} remains unchanged
> Missing protection for system-maintained rep:externalId
> --------------------------------------------------------
>
> Key: OAK-4301
> URL: https://issues.apache.org/jira/browse/OAK-4301
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external
> Reporter: angela
> Assignee: angela
> Priority: Critical
> Labels: security
> Fix For: 1.5.8
>
> Attachments: OAK-4301.patch
>
>
> while working on OAK-4101 i noticed that the current implementation doesn't
> provide any protection for the system maintained property {{rep:externalId}},
> which is intended to be an identifier for a given synchronized user/group
> within an external IDP.
> in other words:
> - the system doesn't assert the uniqueness of a given external-id
> - the external-id properties can be changed using regular JCR API
> up to now i didn't manage to exploit the missing protection with the current
> default implementation but i found that minor (legitimate) changes have the
> potential to turn this into a critical vulnerability.
> therefore I would strongly recommend to change the default implementation
> such that the rep:externalId really becomes system-maintained and prevent any
> unintentional or malicious modification outside of the scope of the
> sync-operations. furthermore uniqueness of this property should be asserted.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
