Enforce testcase-level access control for testcase blob downloads in /download#5297
Enforce testcase-level access control for testcase blob downloads in /download#5297evilgensec wants to merge 2 commits into
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
…/download The /download handler gated testcase-scoped blobs on the general access.has_access() check, using the testcase-level access.can_user_access_testcase() check only as a fallback. The sibling handlers serving the same blobs (viewer.py and testcase_detail/download_testcase.py) gate testcase content on can_user_access_testcase() first, which enforces the privileged-access requirement for security testcases (testcase.security_flag). As a result, a user with general access but without testcase-level access could download a testcase reproducer they are not permitted to view via /viewer. Gate testcase-scoped blobs on can_user_access_testcase() before the general access.has_access() check, matching viewer.py; retain has_access() for non-testcase blobs. Update the handler test accordingly.
evilgensec
force-pushed
the
fix-download-testcase-access-control
branch
from
e4bdc7b to
39f7814
Compare
crash_query returned a matching testcase id and bug id for any authenticated user, without the security_flag-aware scoping the sibling query handlers apply, so a non-privileged user supplying a matching stacktrace could confirm the existence of and read the testcase/bug id of a security-confidential testcase. Suppress the duplicate when it is security_flag and the caller cannot access it, using the same can_user_access_testcase check the per-testcase handlers use.
evilgensec
force-pushed
the
fix-download-testcase-access-control
branch
from
5522561 to
c9b8ff1
Compare
|
Added a second commit that applies the same |
1 participant
Summary
handlers/download.pyserves testcase-scoped blobs (a testcase's minimized/fuzzed reproducer) after only the generalaccess.has_access()check, consulting the testcase-levelaccess.can_user_access_testcase()check only as a fallback:The sibling handlers that serve the same testcase blobs gate testcase content on
can_user_access_testcase()first:handlers/viewer.py—if testcase_id: if not access.can_user_access_testcase(testcase): raise AccessDeniedError();has_access()is used only for non-testcase content.handlers/testcase_detail/download_testcase.py—access.check_access_and_get_testcase(testcase_id).can_user_access_testcase()escalates to privileged access for security testcases (need_privileged_access = testcase.security_flag and not config.relax_security_bug_restrictions), whereashas_access()(get_access(need_privileged_access=False)) also returnsAllowedfor anywhitelisted_domainsuser. As a result, on/downloada user with general access but without testcase-level access can download a testcase reproducer they are not permitted to view via/viewer.Change
Gate testcase-scoped blobs on
can_user_access_testcase()before the generalhas_access()check, matchingviewer.py; retainhas_access()for non-testcase blobs. Privileged users, the testcase uploader, and associated-bug participants are unaffected (they passcan_user_access_testcase()); domain-allowed users keep access to non-security testcases. The public OSS-Fuzz path (check_public_testcase) is unchanged and runs earlier.handlers/download_test.py'stest_download_useris updated to assert the corrected behavior: general access alone grants non-testcase blobs, and testcase blobs require testcase-level access.Note: the full handler suite was not run locally (it requires the datastore emulator); the change is a structural alignment with
viewer.pyand the test mirrors existing patterns in the file.