Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Apr 16, 2024. It is now read-only.

Bugfix/#1072 NotificationSettingsController vulnerabilities #1080

Merged
merged 23 commits into from
Dec 20, 2018
Merged

Bugfix/#1072 NotificationSettingsController vulnerabilities #1080

merged 23 commits into from
Dec 20, 2018

Conversation

@torss
Copy link
Collaborator

@torss torss commented Dec 19, 2018
edited
Loading

Description:

Closes #1072

Fixes the data leaks (full course & user leakage due to toObject) and access vulnerabilities of the three NotificationSettingsController routes. It simultaneously refactors the routes "severely", see below.

Improvements

  • To address the toObject-based data leaks a new INotificationSettingsView interface is introduced. It only contains the course ID besides the actual settings (notificationType & emailNotification). I.e. notification settings aren't even identified via their own internal IDs anymore, since a @CurrentUser & course pair is sufficient.
  • POST route was completely removed since it is obviated by the upgraded PUT route, which now has upsert enabled (among other refactoring and changes relating to INotificationSettingsView).
  • Arbitrary IDs are no longer allowed as route input in general (except for the PUT course), minimizing the attack surface. Instead the @CurrentUser is utilized etc. (This together with INotificationSettingsView responses secures GET completely.)
  • PUT route now handles 404 errors, i.e. when the course can't be found (+ new unit test).
  • PUT route also checks that the @CurrentUser is authorized to at least view the course (+ new unit test), although this is no longer strictly necessary from a security viewpoint due to the reduced attack surface.
  • Front-end parts are adjusted & refactored accordingly.
  • NotificationSettingsController unit test refactoring in general.
  • Unused NotificationSettings.ts front-end class file is removed.
  • (Other minor stuff like removing some unused imports, see the commits.)

Known Issues:

NONE

torss added 20 commits December 13, 2018 12:53
@torss
API: Remove some unused imports
8ed020f
@torss
API: Use TestHelper in notification settings tests
ffaa49d
@torss
Merge remote-tracking branch 'remotes/origin/develop' into bugfix/#1072
fd9172a 
…-NotificationSettingsController-vulnerabilities

# Conflicts (resolved):
#	api/test/controllers/TestNotificationController.ts
@torss
API: Remove unused imports
1521cb6
@torss
Use @currentuser for getNotificationSettings route
b5e5a11 
This fixes the arbitrary id request vulnerability that
enabled anyone to read everyone else's notification settings.
Merely minor front-end changes were required, since the route is
only used to get the current user's settings anyway.
@torss
Shared: Improve INotificationView doc formatting
e3482f1
@torss
Secure routes via new INotificationSettingsView
83b5812 
This is primarily meant to close the vulnerabilities that the unfiltered
toObject responses caused (i.e. full data leakage of course (& user) data),
but it also changes the PutNotificationSettings route to use the @currentuser
instead of an arbitrary user, since INotificationSettingsView doesn't contain
the user field any longer (but this alone does not yet fully secure the request
side of that route).
@torss
Upgrade putNotificationSettings route
94d8fa9 
- It now uses clearly defined `@BodyParam`s.
- Instead of requiring an explicit ID, it now simply utilizes the
  given `course` & `@CurrentUser` to identify the settings.
- `upsert` is now enabled, so that the route should be capable of
  completely replacing the functionality of createNotificationSettings
  too (but for that further code changes are necessary).
@torss
Replace create* with putNotificationSettings route
569f17b
@torss
Eliminate _id from INotificationSettingsView
05970b5 
This simplification is possible because there can only be one
NotificationSettings document per user/course pair anyway.
@torss
App: Refactor saveNotificationSettings
7210ca5
@torss
API: Empty putNotificationSettings success response
04afae9 
Because the front-end no longer needs the response info.
@torss
API: Add security note to putNotificationSettings
11d18cb
@torss
API: Fix two NotificationController doc typos
6b8f4d8
@torss
API: Add putNotificationSettings 404 & 403 checks
f63dde3
@torss
API: Refactor TestNotificationSettingsController
ce89e42
@torss
App: Add setNotificationSettings service method
8658ad3 
notificationSettingsService.updateItem(settings) didn't work because it
automatically appends the updateItem._id to the this.apiPath, while the
notification settings routes currently don't need any IDs at all.
@torss
App: Remove unused NotificationSettings.ts
95d2e4e
@torss
CHANGELOG: Add entries for issue 1072
1a722c7
@torss
Merge remote-tracking branch 'remotes/origin/develop' into bugfix/#1072
b6b2b4e 
…-NotificationSettingsController-vulnerabilities
@torss torss added bug This Issue describes a unwanted behavior api All Backend related Issues web-frontend All frontend related issues refactoring 🔒 security This directly pertains to geli's security! labels Dec 19, 2018
@torss torss merged commit 871f203 into develop Dec 20, 2018
@kesselb kesselb deleted the bugfix/#1072-NotificationSettingsController-vulnerabilities branch December 20, 2018 10:12
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@kesselb kesselb kesselb approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

api All Backend related Issues bug This Issue describes a unwanted behavior refactoring 🔒 security This directly pertains to geli's security! web-frontend All frontend related issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🐛 BUG: NotificationSettingsController vulnerabilities

3 participants

@torss @kesselb