Tryton - Issues

 

Issue7766

Title Enforce guessing field value without access
Priority feature Status resolved
Superseder Nosy List bch, ced, nicoe, pokoli, roundup-bot, sharkcz, yangoon
Type security Components trytond
Assigned To ced Keywords review
Reviews 50591002
View: 50591002

Created on 2018-10-05.00:39:12 by ced, last changed by roundup-bot.

Messages
New changeset cf0ced89a47a by Cédric Krier in branch 'default':
Check read access on field in search domain
https://hg.tryton.org/tryton-env/rev/cf0ced89a47a
New changeset 52b1acb313aa by Cédric Krier in branch 'default':
Check read access on field in search domain
https://hg.tryton.org/trytond/rev/52b1acb313aa

New changeset 740ccb5a6c91 by Cédric Krier in branch 'default':
Refactoring test account and include search
https://hg.tryton.org/trytond/rev/740ccb5a6c91

New changeset 5aab769514b0 by Cédric Krier in branch '5.0':
Check read access on field in search domain
https://hg.tryton.org/trytond/rev/5aab769514b0

New changeset b305301d80f3 by Cédric Krier in branch '4.8':
Check read access on field in search domain
https://hg.tryton.org/trytond/rev/b305301d80f3

New changeset 8f92bac113fa by Cédric Krier in branch '4.6':
Check read access on field in search domain
https://hg.tryton.org/trytond/rev/8f92bac113fa

New changeset 31109d0ec6e0 by Cédric Krier in branch '4.4':
Check read access on field in search domain
https://hg.tryton.org/trytond/rev/31109d0ec6e0

New changeset ccd53bd0fa25 by Cédric Krier in branch '4.2':
Check read access on field in search domain
https://hg.tryton.org/trytond/rev/ccd53bd0fa25

New changeset 2e8f89833046 by Cédric Krier in branch '4.0':
Check read access on field in search domain
https://hg.tryton.org/trytond/rev/2e8f89833046
New changeset b17fefe97cf8 by Cédric Krier in branch 'default':
Check read access on field in search domain
https://hg.tryton.org/modules/stock_supply/rev/b17fefe97cf8

New changeset cf0185472698 by Cédric Krier in branch '5.0':
Check read access on field in search domain
https://hg.tryton.org/modules/stock_supply/rev/cf0185472698

New changeset ed08e846c48a by Cédric Krier in branch '4.8':
Check read access on field in search domain
https://hg.tryton.org/modules/stock_supply/rev/ed08e846c48a

New changeset 9aed8f7f5434 by Cédric Krier in branch '4.6':
Check read access on field in search domain
https://hg.tryton.org/modules/stock_supply/rev/9aed8f7f5434

New changeset 64d590073060 by Cédric Krier in branch '4.4':
Check read access on field in search domain
https://hg.tryton.org/modules/stock_supply/rev/64d590073060

New changeset daa893f69d7b by Cédric Krier in branch '4.2':
Check read access on field in search domain
https://hg.tryton.org/modules/stock_supply/rev/daa893f69d7b

New changeset 532006616011 by Cédric Krier in branch '4.0':
Check read access on field in search domain
https://hg.tryton.org/modules/stock_supply/rev/532006616011
New changeset ed68c5e22855 by Cédric Krier in branch 'default':
Check read access on field in search domain
https://hg.tryton.org/modules/sale_supply/rev/ed68c5e22855

New changeset 72d11f904bde by Cédric Krier in branch '5.0':
Check read access on field in search domain
https://hg.tryton.org/modules/sale_supply/rev/72d11f904bde

New changeset 730f037f94a9 by Cédric Krier in branch '4.8':
Check read access on field in search domain
https://hg.tryton.org/modules/sale_supply/rev/730f037f94a9

New changeset d163c4767641 by Cédric Krier in branch '4.6':
Check read access on field in search domain
https://hg.tryton.org/modules/sale_supply/rev/d163c4767641

New changeset 0ddd62058f42 by Cédric Krier in branch '4.4':
Check read access on field in search domain
https://hg.tryton.org/modules/sale_supply/rev/0ddd62058f42

New changeset 4fdde5337f5b by Cédric Krier in branch '4.2':
Check read access on field in search domain
https://hg.tryton.org/modules/sale_supply/rev/4fdde5337f5b

New changeset 2b94f3ff0e3b by Cédric Krier in branch '4.0':
Check read access on field in search domain
https://hg.tryton.org/modules/sale_supply/rev/2b94f3ff0e3b
New changeset 47bd483cd0b4 by Cédric Krier in branch 'default':
Check read access on field in search domain
https://hg.tryton.org/modules/purchase_request/rev/47bd483cd0b4

New changeset 43312e2d4581 by Cédric Krier in branch '5.0':
Check read access on field in search domain
https://hg.tryton.org/modules/purchase_request/rev/43312e2d4581

New changeset 92ad11e7c064 by Cédric Krier in branch '4.8':
Check read access on field in search domain
https://hg.tryton.org/modules/purchase_request/rev/92ad11e7c064

New changeset 0c1f96b0259d by Cédric Krier in branch '4.6':
Check read access on field in search domain
https://hg.tryton.org/modules/purchase_request/rev/0c1f96b0259d

New changeset 239b6768d3fb by Cédric Krier in branch '4.4':
Check read access on field in search domain
https://hg.tryton.org/modules/purchase_request/rev/239b6768d3fb

New changeset 4397c3d1fd34 by Cédric Krier in branch '4.2':
Check read access on field in search domain
https://hg.tryton.org/modules/purchase_request/rev/4397c3d1fd34

New changeset fbd519c6f066 by Cédric Krier in branch '4.0':
Check read access on field in search domain
https://hg.tryton.org/modules/purchase_request/rev/fbd519c6f066
New changeset 3a3d57ee2190 by Cédric Krier in branch 'default':
Check read access on field in search domain
https://hg.tryton.org/modules/account_dunning/rev/3a3d57ee2190

New changeset 858bb1bf571f by Cédric Krier in branch '5.0':
Check read access on field in search domain
https://hg.tryton.org/modules/account_dunning/rev/858bb1bf571f

New changeset 302502dbcbb4 by Cédric Krier in branch '4.8':
Check read access on field in search domain
https://hg.tryton.org/modules/account_dunning/rev/302502dbcbb4

New changeset 62b3ceb088b0 by Cédric Krier in branch '4.6':
Check read access on field in search domain
https://hg.tryton.org/modules/account_dunning/rev/62b3ceb088b0

New changeset 2cab10bd02b6 by Cédric Krier in branch '4.4':
Check read access on field in search domain
https://hg.tryton.org/modules/account_dunning/rev/2cab10bd02b6

New changeset 6a052073399a by Cédric Krier in branch '4.2':
Check read access on field in search domain
https://hg.tryton.org/modules/account_dunning/rev/6a052073399a

New changeset 979f9accaefc by Cédric Krier in branch '4.0':
Check read access on field in search domain
https://hg.tryton.org/modules/account_dunning/rev/979f9accaefc
msg44787 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-11-07.00:16:49
I prepared the news: https://discuss.tryton.org/t/security-release-for-issue7766/861

I propose to schedule the security release Monday 12 November.
msg44730 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-11-02.20:15:07
Also it requires to decorate ModelStorage._value with without_check_access that is only available from 4.2. So I do not think about backporting this fix to 4.0 branch which should anyway already be closed.
msg44729 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-11-02.20:12:58
Here is review50591002
I have refactored the test_access to follow AAA so it is easier to test this new behavior. Of course the tests refactoring will be committed only on trunk.
It also required some test scenario fixes for those using non-admin user. But I had to break the policy of no XML changes for stock_supply because the supply wizard trigger the action to open purchase request and so the stock admin must have at least read access on them. I think we will just mention this exception in the security news.
msg44340 (view) Author: [hidden] (pokoli) (Tryton committer) (Tryton translator) Date: 2018-10-05.14:24:36
Ok, that makes sense.
msg44336 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-05.13:01:54
raise an error.
msg44335 (view) Author: [hidden] (pokoli) (Tryton committer) (Tryton translator) Date: 2018-10-05.12:49:29
And which will be the behavior if the user does not have access to the field? Remove the field from the domain?
msg44328 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2018-10-05.00:39:11
For now, user can make search on any field with or without nested notation.
This may allow user who does not have read access to some model or field to try to guess some values by performing crafted queries.
For example, if the user does not have access to the employee cost_price, he can make search like this: [('id', '=', employee_id), ('cost_price', '=', x)] and varying x until having a result.

So I propose that ModelStorage.search check the read access to the fields used in domain. It should test direct field but also nested one. This should be done only if _check_access is True.
History
Date User Action Args
2018-11-12 18:09:09roundup-botsetmessages: + msg44863
2018-11-12 18:08:23roundup-botsetmessages: + msg44862
2018-11-12 18:07:40roundup-botsetmessages: + msg44861
2018-11-12 18:06:45roundup-botsetmessages: + msg44860
2018-11-12 18:05:42roundup-botsetmessages: + msg44859
2018-11-12 18:05:04roundup-botsetnosy: + roundup-bot
messages: + msg44858
2018-11-12 18:04:52cedsetstatus: testing -> resolved
2018-11-07 00:16:51cedsetmessages: + msg44787
2018-11-02 20:15:07cedsetmessages: + msg44730
2018-11-02 20:13:10cedsetreviews: 50591002
keyword: + review

Showing 10 items. Show all history (warning: this could be VERY long)