Bug 1208071 - CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.1.0]
Summary: CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Security
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Tazim Kolhar
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: CVE-2015-1844 1208080
TreeView+ depends on / blocked
 
Reported: 2015-04-01 10:28 UTC by Marek Hulan
Modified: 2017-02-23 20:12 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
: 1208080 (view as bug list)
Environment:
Last Closed: 2015-08-12 14:02:28 UTC
Target Upstream Version:


Attachments (Terms of Use)
user host (42.10 KB, image/png)
2015-04-29 09:31 UTC, Tazim Kolhar
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 9947 0 None None None 2016-04-22 15:57:01 UTC

Description Marek Hulan 2015-04-01 10:28:15 UTC
I created a new user with a dedicated role with the following permissions:

Host/managed: 	view_hosts

The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.

Comment 1 Marek Hulan 2015-04-01 10:28:17 UTC
Created from redmine issue http://projects.theforeman.org/issues/9947

Comment 3 Bryan Kearney 2015-04-09 16:06:32 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/9947 has been closed
-------------
Marek Hulán
Applied in changeset commit:abe910f2a46f4ecc1f349263d0b4751ed46ff200.

Comment 5 Tazim Kolhar 2015-04-29 09:29:43 UTC
VERIFIED:
# rpm -qa | grep foreman
foreman-gce-1.7.2.17-1.el7sat.noarch
foreman-debug-1.7.2.17-1.el7sat.noarch
foreman-discovery-image-2.1.0-20.el7sat.noarch
foreman-compute-1.7.2.17-1.el7sat.noarch
foreman-ovirt-1.7.2.17-1.el7sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.3-1.el7sat.noarch
ruby193-rubygem-foreman_docker-1.2.0.9-1.el7sat.noarch
ruby193-rubygem-foreman-redhat_access-0.1.0-1.el7sat.noarch
ruby193-rubygem-foreman-tasks-0.6.12.3-1.el7sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.7-1.el7sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.10-1.el7sat.noarch
foreman-proxy-1.7.2.4-1.el7sat.noarch
cloud-qe-9.idmqe.lab.eng.bos.redhat.com-foreman-client-1.0-1.noarch
cloud-qe-9.idmqe.lab.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch
foreman-vmware-1.7.2.17-1.el7sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch
rubygem-hammer_cli_foreman-0.1.4.9-1.el7sat.noarch
foreman-libvirt-1.7.2.17-1.el7sat.noarch
foreman-selinux-1.7.2.13-1.el7sat.noarch
foreman-postgresql-1.7.2.17-1.el7sat.noarch
cloud-qe-9.idmqe.lab.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch
foreman-1.7.2.17-1.el7sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.9-1.el7sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.5-1.el7sat.noarch

steps:
create a new user with a dedicated role with the following permissions:

Host/managed: 	view_hosts

# curl -i -k -u test_user:redhat  -H "Accept: application/json" -X GET 'https://cloud-qe-09.idmqe.lab.eng.bos.redhat.com/api/v2/hosts'
HTTP/1.1 200 OK
Date: Wed, 29 Apr 2015 09:26:30 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux)
Foreman_version: 1.7.2
Foreman_api_version: 2
Apipie-Checksum: a60bc49ae5a1e86a952e6cf4d6a3273f
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: must-revalidate, private, max-age=0
X-Request-Id: b0fe3da2475ba633ee9b78711a2922c9
X-Runtime: 0.353607
X-Rack-Cache: miss
X-Powered-By: Phusion Passenger 4.0.18
Set-Cookie: _session_id=BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJTgyZjVlYWZmMjU3NjBjM2QxNGQ3YzNlY2YyNzEwOTQ3BjsAVEkiC2xvY2FsZQY7AEZJIgdlbgY7AEY%3D--4dafed25d1e36d8872f5288ff02ef39b8b30947e; path=/; HttpOnly
ETag: "88c1d59ff6a305f42957d94bdcdd0a80"
Status: 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8

{
  "total": 1,
  "subtotal": 1,
  "page": 1,
  "per_page": 20,
  "search": null,
  "sort": {
    "by": null,
    "order": null
  },
  "results": [{"name":"shost.idmqe.lab.eng.bos.redhat.com","id":4,"ip":"192.168.100.2","environment_id":3,"environment_name":"KT_Default_Organization_Dev_cv_rhel71_2","last_report":"2015-04-29T09:03:12Z","mac":"52:54:00:66:b7:d9","realm_id":null,"realm_name":null,"sp_mac":null,"sp_ip":null,"sp_name":null,"domain_id":1,"domain_name":"idmqe.lab.eng.bos.redhat.com","architecture_id":1,"architecture_name":"x86_64","operatingsystem_id":1,"operatingsystem_name":"RHEL Server 7.1","subnet_id":1,"subnet_name":"libvirt","sp_subnet_id":null,"ptable_id":7,"ptable_name":"Kickstart default","medium_id":7,"medium_name":"Default_Organization/Library/RHEL7/RHEL7_x86_64","build":false,"comment":"","disk":"","installed_at":"2015-04-28T11:32:27Z","model_id":2,"model_name":"KVM","hostgroup_id":1,"hostgroup_name":"sgroup","owner_id":3,"owner_type":"User","enabled":true,"puppet_ca_proxy_id":1,"managed":true,"use_image":null,"image_file":"","uuid":"72be12a2-90bb-4423-98b7-cec1f63d54d3","compute_resource_id":1,"compute_resource_name":"libvirt","compute_profile_id":null,"compute_profile_name":null,"capabilities":["build","image"],"provision_method":"build","puppet_proxy_id":1,"certname":"shost.idmqe.lab.eng.bos.redhat.com","image_id":null,"image_name":null,"created_at":"2015-04-28T11:19:18Z","updated_at":"2015-04-29T09:03:16Z","last_compile":"2015-04-29T09:03:15Z","last_freshcheck":null,"serial":null,"source_file_id":null,"puppet_status":0,"organization_id":1,"organization_name":"Default Organization","location_id":2,"location_name":"Default Location"}]
}

screenshot attached

Comment 6 Tazim Kolhar 2015-04-29 09:31:00 UTC
Created attachment 1020050 [details]
user host

Comment 7 Bryan Kearney 2015-08-11 13:28:11 UTC
This bug is slated to be released with Satellite 6.1.

Comment 8 Bryan Kearney 2015-08-12 14:02:28 UTC
This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.


Note You need to log in before you can comment on or make changes to this bug.