From 6613f2381fabd17ccba1f760f4c520fa300f5364 Mon Sep 17 00:00:00 2001 From: Philipp Kilian Date: Thu, 13 Jun 2024 16:40:31 +0200 Subject: [PATCH 1/3] getRecordings: fix bug in getRecordings endpoint --- b3lb/rest/classes/api.py | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/b3lb/rest/classes/api.py b/b3lb/rest/classes/api.py index 9f01705..a558f16 100644 --- a/b3lb/rest/classes/api.py +++ b/b3lb/rest/classes/api.py @@ -335,7 +335,7 @@ def allowed_methods(self) -> List[Literal["GET", "POST", "DELETE", "PATCH", "PUT def filter_recordings(self, meeting_id: str = "", recording_id: str = "") -> QuerySet[Record]: if self.state and self.state not in ["unpublished", "published"]: - return QuerySet(model=Record) # return empty QuerySet if state isn't in allowed states + return Record.objects.none() # return empty QuerySet if state isn't in allowed states query = Q(record_set__secret=self.secret) @@ -344,14 +344,12 @@ def filter_recordings(self, meeting_id: str = "", recording_id: str = "") -> Que UUID(recording_id) query &= Q(uuid=recording_id) except ValueError: - return QuerySet(model=Record) # return empty QuerySet for BadRequest + return Record.objects.none() # return empty QuerySet for BadRequest - if meeting_id: - try: - UUID(meeting_id) - query %= Q(record_set__meta_meeting_id=meeting_id) - except ValueError: - return QuerySet(model=Record) # return empty QuerySet for BadRequest + if meeting_id and 2 <= len(self.meeting_id) <= cst.MEETING_ID_LENGTH: + query &= Q(record_set__meta_meeting_id=meeting_id) + elif meeting_id: + return Record.objects.none() # return empty QuerySet for BadRequest if self.state == "published": query &= Q(published=True) From d6160edeab0bc0e0abe74c16c81c3e60d9f8189f Mon Sep 17 00:00:00 2001 From: Philipp Kilian Date: Thu, 13 Jun 2024 16:41:46 +0200 Subject: [PATCH 2/3] changelog: update for version 3.2.4 --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f0fd5a2..7e9c609 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # ChangeLog +## 3.2.4 - 2024-06-15 + +Fixes: +- fix bug in getRecordings endpoint + ## 3.2.3 - 2024-05-28 Fixes: From cfbc3a8142732fe1f7afbcb1223b60957491759a Mon Sep 17 00:00:00 2001 From: Philipp Kilian Date: Sun, 16 Jun 2024 21:30:39 +0200 Subject: [PATCH 3/3] api: update for review changes --- CHANGELOG.md | 8 +++++--- b3lb/rest/classes/api.py | 9 +++++---- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e9c609..dc776d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,11 @@ # ChangeLog -## 3.2.4 - 2024-06-15 +## 3.2.4 - 2024-06-16 Fixes: -- fix bug in getRecordings endpoint +- fix **security** bug in getRecordings endpoint + +This release fixes a security bug that allowed authenticated api requests to manage recordings of any tenants and their secrets. ## 3.2.3 - 2024-05-28 @@ -21,7 +23,7 @@ Fixes: Changes: - adjust to BBB 2.7.8 API changes - - forbid POST request for `join` endpoint () + - forbid POST request for `join` endpoint - adjustments for POST headers are already handled - meeting name check: - add check for meeting name length for faster response without sending a request to backend systems diff --git a/b3lb/rest/classes/api.py b/b3lb/rest/classes/api.py index a558f16..9400a18 100644 --- a/b3lb/rest/classes/api.py +++ b/b3lb/rest/classes/api.py @@ -346,10 +346,11 @@ def filter_recordings(self, meeting_id: str = "", recording_id: str = "") -> Que except ValueError: return Record.objects.none() # return empty QuerySet for BadRequest - if meeting_id and 2 <= len(self.meeting_id) <= cst.MEETING_ID_LENGTH: - query &= Q(record_set__meta_meeting_id=meeting_id) - elif meeting_id: - return Record.objects.none() # return empty QuerySet for BadRequest + if meeting_id: + if 2 <= len(meeting_id) <= cst.MEETING_ID_LENGTH: + query &= Q(record_set__meta_meeting_id=meeting_id) + else: + return Record.objects.none() # return empty QuerySet for BadRequest if self.state == "published": query &= Q(published=True)