IBX-5236: Added version parameter validation in DownloadController #3150
Conversation
|
Kudos, SonarCloud Quality Gate passed!
|
Agree, but are you 100% sure that it is not possible to devise a string which will allow the user to load a different content / version than the intended one? That is the real issue at stake here - bypassing security policies. |
| $version = (int) $request->query->get('version'); | ||
| if ($version <= 0) { | ||
| throw new NotFoundException('File', $filename); | ||
| } | ||
| $content = $this->contentService->loadContent($contentId, null, $version); |
There was a problem hiding this comment.
| $version = (int) $request->query->get('version'); | |
| if ($version <= 0) { | |
| throw new NotFoundException('File', $filename); | |
| } | |
| $content = $this->contentService->loadContent($contentId, null, $version); | |
| $version = $request->query->getInt('version'); | |
| if ($version <= 0) { | |
| throw new NotFoundException('File', $filename); | |
| } | |
| $content = $this->contentService->loadContent($contentId, null, $version); |
There was a problem hiding this comment.
or potentially `\Symfony\Component\HttpFoundation\Exception\BadRequestException`
There was a problem hiding this comment.
Thanks. Clearing the question of whether it potentially can be accepted for merge, before applying this.
|
@alongosz This is indeed not security, I could have stated that more clearly. The question is rather: Is this an absolute rule, or can there be some wiggle room for good security practice, even if there is no known, likely or expected vulnerability here? |
-1 from my side because of the cost. This repository is outside of gitflow. It would require unplanned QA & release. I don't see any value in adding this to so old version of the product, given it just results in 500 exception. The solution for that would be: "upgrade please". But it's really not up to me, but up to @adamwojs and/or @webhdx. |
|
Side note: CI is failing |
|
Fair points, absolutely. The CI issue is unrelated, but I might want to look into it at some point, especially if it happens in 3.3+ also. |
See my comment above: did anyone at Ibexa actually try to create an attack where a specially crafted version number string can be used to trick the system into creating a cache-key which is valid and could correspond to a different content, or not? If not, I do not think that we can say that a vulnerability is unlikely and unexpected. Please bear in mind that there are atm many items stored in the Presistence Cache, which have cache keys built from different patterns, and those patterns do have a varying number of elements... On a side note: thinking more about this issue, and the fact that this is not the only controller which suffers from this lack of sanitization, I came to the conclusion that the correct place to fix it is rather (or in addition) the place where the cache-key is generated, out of a pattern. The code which generates it should execute a typecast on all cache-key parts which are known to be integers. This is the most similar equivalent of doing a bind-by-param in a database query where the version nr. is an integer column. |
|
@gggeek We can't prove a negative. I mean, no one can prove 100% that any large piece of software is free from vulnerabilities. Two Ibexa devs have looked carefully at the call stack now and not found any vulnerability. This was also reviewed back in July 2022 when the fix was first made. Security concerns were reviewed back then as well. That cannot rule out vulnerabilities, nothing can. In my view the sanitation should happen as soon as possible in the stack, but doing it at multiple levels for redundancy is fine, within reason. Personally I think it's better to throw exceptions than typecast, but I went with a cast + exception here to stay in sync with the original fix. |
|
@glye I won't insist: if you say that two developers looked already at this issue and were satisfied with the current situation / this fix, I have no reason not to trust them. I will however abuse a little more your time and patience (and this ticket) to explain my line of thinking. I am not asking Ibexa for a formal proof of safety/security here - I agree that it is both impractical in real-life and impossible in theory (halting problem and all that). Instead, assuming I was "the Product Boss", this is what I would try to make sure is happening:
Part, or even all of the above, might in fact have happened behind closed doors. But I am not privy to that. On the other hand, what I see in the public communication makes me feel that the issue might be underestimated, simply because the payload originally reported did not achieve the false cache-sharing. |
v2.5This was fixed before in v3.3: ezsystems/ezplatform-kernel#319
but could use a fix in v2.5 too. Note v2.5 is EOM, but not EOL. This is not a security issue, so should normally not be released for v2.5, but could we do it anyway for best practice reasons? TBD.
Checklist:
$ composer fix-cs).@ezsystems/engineering-team).