[ https://issues.apache.org/jira/browse/OAK-4301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15406132#comment-15406132 ]
angela edited comment on OAK-4301 at 8/4/16 1:42 PM: ----------------------------------------------------- Proposed patch including tests and documentation update. [~tripod], maybe you want to take a closer look at this? the fix includes a configuration option that turns on protection of rep:externalId by default. as stated above using a dedicated mixin type was not feasible without major rewrite of the whole module and i decided to just impose the protection using the {{ExternalIdentityValidatorProvider}}. With this enabled: - writing {{rep:externalId}} is limited to the system session with 1 single exception (i.e. adding user/group + external id) to keep the xml-import of external users working. [~tripod] if you have the impression that this was not needed, we could prevent writing altogether. - {{rep:externalId}} must be of type STRING and single valued - {{rep:externalId}} must be unique - the restrictions imposed by {{rep:externalPrincipalNames}} remains unchanged The following actions are still possible with sufficient permissions: - create external users - remove external users was (Author: anchela): Proposed patch including tests and documentation update. [~tripod], maybe you want to take a closer look at this? the fix includes a configuration option that turns on protection of rep:externalId by default. as stated above using a dedicated mixin type was not feasible without major rewrite of the whole module and i decided to just impose the protection using the {{ExternalIdentityValidatorProvider}}. With this enabled: - writing {{rep:externalId}} is limited to the system session with 1 single exception (i.e. adding user/group + external id) to keep the xml-import of external users working. [~tripod] if you have the impression that this was not needed, we could prevent writing altogether. - {{rep:externalId}} must be of type STRING and single valued - {{rep:externalId}} must be unique - the restrictions imposed by {{rep:externalPrincipalNames}} remains unchanged > Missing protection for system-maintained rep:externalId > -------------------------------------------------------- > > Key: OAK-4301 > URL: https://issues.apache.org/jira/browse/OAK-4301 > Project: Jackrabbit Oak > Issue Type: Bug > Components: auth-external > Reporter: angela > Assignee: angela > Priority: Critical > Labels: security > Fix For: 1.5.8 > > Attachments: OAK-4301.patch > > > while working on OAK-4101 i noticed that the current implementation doesn't > provide any protection for the system maintained property {{rep:externalId}}, > which is intended to be an identifier for a given synchronized user/group > within an external IDP. > in other words: > - the system doesn't assert the uniqueness of a given external-id > - the external-id properties can be changed using regular JCR API > up to now i didn't manage to exploit the missing protection with the current > default implementation but i found that minor (legitimate) changes have the > potential to turn this into a critical vulnerability. > therefore I would strongly recommend to change the default implementation > such that the rep:externalId really becomes system-maintained and prevent any > unintentional or malicious modification outside of the scope of the > sync-operations. furthermore uniqueness of this property should be asserted. -- This message was sent by Atlassian JIRA (v6.3.4#6332)