Uploaded image for project: 'Spring XD'
  1. Spring XD
  2. XD-2872

Able to bypass authorization checks by appending ".json" or ".xml"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Critical
    • Resolution: Complete
    • Affects Version/s: 1.1.1
    • Fix Version/s: 1.2 RC1
    • Component/s: REST
    • Labels:

      Description

      How to reproduce:

      1) Enable security
      2) Use a user that has the following role only: "ROLE_CREATE"
      3) Make a normal REST call:

      http://localhost:9393/runtime/containers
      

      yields the desired response:

          {
             "timestamp": "2015-03-26T16:51:17.010Z",
             "status": 403,
             "error": "Forbidden",
             "message": "Access is denied",
             "path": "/runtime/containers"
          }
      

      Now try:

      http://localhost:9393/runtime/containers.json
      

      This produces:

          {
             "links":
             [
                 {
                     "rel": "self",
                     "href": "http://localhost:9393/runtime/containers{?page,size,sort}"
                 }
             ],
             "content":
             [
                 {
                     "containerId": "86eea5aa-b18e-41c5-a3f5-42dfa10713c1",
                     "groups": "",
                     "deploymentSize": 0,
                     "deployedModules":
                     [
                     ],
                     "messageRates": null,
                     "attributes":
                     {
                         "ip": "10.0.1.119",
                         "host": "INTEGRATION.local",
                         "groups": "",
                         "pid": "52686",
                         "id": "86eea5aa-b18e-41c5-a3f5-42dfa10713c1"
                     },
                     "links":
                     [
                         {
                             "rel": "self",
                             "href": "http://localhost:9393/runtime/containers/86eea5aa-b18e-41c5-a3f5-42dfa10713c1"
                         }
                     ]
                 }
             ],
             "page":
             {
                 "size": 20,
                 "totalElements": 1,
                 "totalPages": 1,
                 "number": 0
             }
          }
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              hillert Gunnar Hillert
              Reporter:
              hillert Gunnar Hillert
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: