request #38259 ID confusion in query for bulk check of Artifact permissions

Artifact

Infos

Artifact ID#38259

Submitted byJoris MASSON (jmasson)

Last Modified On2024-05-24 11:43

Submitted on2024-05-23 17:31

Rank39863

Details

Summary *

ID confusion in query for bulk check of Artifact permissions

Original Submission

When the feature flag feature_flag_new_tracker_permissions_check is set to 1
and an artifact A1 exists in a tracker T and the current user does NOT have access to the tracker T (and therefore should NOT have access to artifact A1)
and anything else has the same numeric ID as tracker T and a permission is set on said thing that allows the current user to see it (for example, another artifact A2 has the same numeric ID as tracker T and has permissions on artifact that includes the current user)
Then the DB query that retrieves artifacts will return artifact A1 when it should not. The REST API is using this query, but it double-checks the tracker permissions, and does not return artifact A1 in this situation. Confidentiality is safeguarded.

It requires a permission to be defined on an object with the same numeric ID AND said permission must be on a user group including the current user (for example on Project Members).

The quickest way to reproduce is to run the DB integration tests on current master:

make tests-db SEED=1716305341

The first test should fail with an additional unexpected artifact ID found.

CategoryTrackers

Reported in version15.8

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toJoris MASSON (jmasson)

StatusClosed

Close date2024-05-24

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #36799	Tuleap	Releases	15.10	Delivered	2024-04-07 16:42	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #38259

Git commit

tuleap/tuleap/stable

Fix request #38259 ID confusion in query for bulk check of Artifact permissions 6f041db92f

Joris MASSON (jmasson) , 2024-05-24 10:44

Merge commit 'refs/changes/46/31146/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 28c1ef489a

Kevin Traini (ktraini) , 2024-05-24 11:41

Show items referenced by request #38259

Referenced by request #38259

Artifact Tracker v5

rel #36799 15.10

Git commit

tuleap/tuleap/stable

feat: TrackersPermissionsRetriever can fetch permissions for multiple artifacts 2ea790a7a1

Kevin Traini (ktraini) , 2024-04-23 09:08

Fix request #38259 ID confusion in query for bulk check of Artifact permissions 6f041db92f

Joris MASSON (jmasson) , 2024-05-24 10:44

Other

gerrit #31142

gerrit #31146

Follow-ups

Kevin Traini (ktraini)

2024-05-24 11:43

Connected artifacts
- Added Fixed in: rel #36799

Tracker Workflow Manager (forge__tracker_workflow_manager)

2024-05-24 11:41

request fixed by @jmasson with git #tuleap/stable/6f041db92fb6ab1dd45ebec39e82ec24b6916a1e.

Status changed from Under review to Closed
Close date set to 2024-05-24

Joris MASSON (jmasson)

2024-05-24 10:43

Summary
-~~Bulk~~ check of Artifact permissions ~~can give unwanted access to artifacts~~
+ID confusion in query for bulk check of Artifact permissions
Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Joris MASSON (jmasson)

2024-05-23 17:43

last edited by: Joris MASSON (jmasson)

2024-05-24 10:46

See gerrit #31146

Status changed from Under implementation to Under review

Public

Artifact links

Releases

Fixed in

Reverse artifact links

Referencing request #38259

Git commit

tuleap/tuleap/stable

Referenced by request #38259

Artifact Tracker v5

Git commit

tuleap/tuleap/stable

Other

Follow-ups