Skip to content

Security: Authenticated arbitrary resource file read via mismatched resourceFileId#8728

Open
AngelFQC wants to merge 1 commit into
chamilo:masterfrom
AngelFQC:security/auto-fix-GHSA-2prx-vqcv-mv68
Open

Security: Authenticated arbitrary resource file read via mismatched resourceFileId#8728
AngelFQC wants to merge 1 commit into
chamilo:masterfrom
AngelFQC:security/auto-fix-GHSA-2prx-vqcv-mv68

Conversation

@AngelFQC

Copy link
Copy Markdown
Member

The /r/{tool}/{type}/{uuid}/view handler authorized the resource node in the path but returned the separate ResourceFile selected by the resourceFileId query parameter without checking the file belonged to that node — an IDOR that let a low-privileged user read other users' files by numeric id. The handler now rejects (404) any resourceFileId whose resource node does not match the path node. In addition, the individual GET /api/resource_files/{id} operation is tightened from ROLE_USER to object-level is_granted('VIEW', object) (via the existing ResourceFileVoter) to close the metadata/existence oracle.

Note: the fix does not add a per-access-URL/tenant check for variants belonging to the same node (advisory remediation point 3); the primary cross-user/cross-course read is closed by the node-match check. Flagging the multi-URL variant nuance as a possible follow-up.

Refs GHSA-2prx-vqcv-mv68

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant