Bug 1729149

Summary: CVE-2019-10198 tfm-rubygem-foreman-tasks: Authorization bypasses when accessing task details [rhn_satellite_6-default]
Product: Red Hat Satellite Reporter: Adam Ruzicka <aruzicka>
Component: Tasks PluginAssignee: Adam Ruzicka <aruzicka>
Status: CLOSED ERRATA QA Contact: Peter Dragun <pdragun>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: aruzicka, cbuissar, dmoppert, egolov, inecas, mzalewsk, pdwyer, tbrisker
Target Milestone: 6.6.0Keywords: SecurityTracking, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tfm-rubygem-foreman-tasks-0.15.5.3-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-22 12:47:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1729130    

Description Adam Ruzicka 2019-07-11 13:15:57 UTC 
A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task. I know UUIDs are tough to guess, but...

This was introduced in foreman-tasks@79a0e2cb5 [1], before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed.

Steps to reproduce:
1) Have foreman with foreman-tasks >= 0.7.8
2) Trigger a couple of tasks
3) Create a user, assign no roles to the user
4.1) As the user, visit $foreman/foreman_tasks/tasks/$UUID, where $UUID is UUID of a task from 2)
4.2) As the user, visit $foreman/foreman_tasks/tasks/$UUID/sub_tasks, where $UUID is UUID of a task from 2) which has sub tasks
4.3) As the user, perform get request against $foreman/foreman_tasks/api/tasks/$UUID

Actual result:
In the UI, task details are shown. For task with sub tasks, sub tasks are shown on an index-like page.
In the API, details are provided.

Expected result:
In the UI, permission denied page is shown.
In the API , the request fails with either 403 or 404.

<pre>
# curl -u user:changeme -k https://localhost/foreman_tasks/api/tasks/f4211c3e-467f-405e-a70c-980d6c4d4e0f 2>/dev/null | ruby -e "require 'json'; puts JSON.pretty_generate(JSON.parse(STDIN.read))"
{
  "id": "f4211c3e-467f-405e-a70c-980d6c4d4e0f",
  "label": "Actions::RemoteExecution::RunHostJob",
  "pending": false,
  "action": "Remote action: Run sleep 60 on helpful-snipe.lxd",
  "username": "admin",
  "started_at": "2019-07-10 12:21:44 UTC",
  "ended_at": "2019-07-10 12:22:50 UTC",
  "state": "stopped",
  "result": "success",
  "progress": 1.0,
  "input": {
    "host": {
      "id": 1,
      "name": "helpful-snipe.lxd"
    },
    "job_category": "Commands",
    "description": "Run sleep 60",
    "delegated_action_id": 2,
    "locale": "en",
    "current_request_id": null,
    "current_timezone": "Europe/Prague",
    "current_user_id": 4,
    "current_organization_id": 1,
    "current_location_id": 2
  },
  "output": {
  },
  "humanized": {
    "action": "Remote action:",
    "input": "Run sleep 60 on helpful-snipe.lxd",
    "output": "Exit status: 0",
    "errors": [

    ]
  },
  "cli_example": null
}
</pre>

[1] - https://github.com/theforeman/foreman-tasks/pull/151/commits/79a0e2cb52fbf872863a3a176e5b1d9a09fc984d
Comment 1 Adam Ruzicka 2019-07-11 13:16:01 UTC 
Created from redmine issue https://projects.theforeman.org/issues/27275
Comment 2 Adam Ruzicka 2019-07-11 13:16:04 UTC 
Upstream bug assigned to aruzicka
Comment 4 Brad Buckingham 2019-07-12 15:20:36 UTC 
*** Bug 1729143 has been marked as a duplicate of this bug. ***
Comment 5 Bryan Kearney 2019-07-15 12:04:10 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/27275 has been resolved.
Comment 6 Doran Moppert 2019-07-15 23:40:09 UTC 
*** Bug 1729351 has been marked as a duplicate of this bug. ***
Comment 8 Peter Dragun 2019-08-20 10:05:16 UTC 
Verified with steps from problem description.
Comment 10 errata-xmlrpc 2019-10-22 12:47:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172