Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: in and contains are dangerous #84

Merged
merged 1 commit into from
Jan 9, 2025
Merged

test: in and contains are dangerous #84

merged 1 commit into from
Jan 9, 2025

Conversation

schmichael
Copy link
Member

@schmichael schmichael commented Dec 18, 2024
edited
Loading

Workaround

This is precisely why products like Consul and Nomad allow for mapping scalar and list claims separately.

In the example below, Consul and Nomad users would map the Role claim with something like:

  "ClaimMappings": {
    "http://example.com/role": "role"
  },
  "ListClaimMappings": {
    "http://nomad.com/role": "role_list"
  }

And then use a selector like the following to differentiate between the scalar and list versions of Role:

(role == admin) or (admin in role_list)

Implementations of bexpr used for authz or other security sensitive operations based on user supplied data must map that data to statically typed fields as above to avoid privilege escalations.

I think it's probably worth merging this test to hopefully make this behavior a tiny bit more obvious.

Original Description

The in and contains operators work on multiple data types: strings (as a substring test) and containers (as a membership test).

Unfortunately it has been observed that some authorization servers will mix types in their responses which are processed by bexpr in auth binding rules.

For example an authorization server may return either:

{"Name": "Alice", "Role": "db_admin"}
{"Name": "Bob",   "Role": ["admin", "foo"]}

A binding rule attempting to match on the admin role would be written as:

admin in Role
Role contains admin

Unfortunately these bexpr expressions will match both Alice and Bob due to substring matching.

@schmichael
test: in and contains are dangerous
b366ded 
The `in` and `contains` operators work on multiple data types: strings
(as a substring test) and containers (as a membership test).

Unfortunately it has been observed that some authorization servers will
mix types in their responses which are processed by bexpr in auth
binding rules.

For example an authorization server may return either:

```
{"Name": "Alice", "Role": "db_admin"}
{"Name": "Bob",   "Role": ["admin", "foo"]}
```

A binding rule attempting to match on the `admin` role would be written
as:

```
admin in Role
Role contains admin
```

Unfortunately these bexpr expressions will match *both* Alice and Bob
due to substring matching.
@schmichael schmichael requested a review from mkeeler December 18, 2024 18:27
@schmichael schmichael requested a review from a team as a code owner December 18, 2024 18:27
mukeshjc
mukeshjc approved these changes Jan 9, 2025
View reviewed changes
Copy link
Contributor

@mukeshjc mukeshjc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@schmichael schmichael merged commit 7126c55 into main Jan 9, 2025
5 checks passed
@schmichael schmichael deleted the test-in branch January 9, 2025 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mukeshjc mukeshjc mukeshjc approved these changes

@jrasell jrasell jrasell approved these changes

@mkeeler mkeeler mkeeler approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@schmichael @mkeeler @jrasell @mukeshjc