View Issue Details

IDProjectCategoryView StatusLast Update
0026893mantisbtsecuritypublic2020-06-16 16:57
Reportervboctor Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.24.0 
Target Version2.24.1Fixed in Version2.24.1 
Summary0026893: APIs expose private attachments to users who has access to issue but not private notes
Description

This applies to both SOAP and REST API.

Impacted REST APIs:

  • {{url}}/api/rest/issues/:issue_id
  • {{url}}/api/rest/issues/:issue_id/files
  • {{url}}/api/rest/issues/:issue_id/files/:file_id

Note that the UI enforced access checks correctly since the attachments were grouped with the private notes and the private notes were not rendered.

TagsNo tags attached.

Relationships

related to 0026631 closedvboctor file_get_visible_attachments shows private files that should be invisible to the user 
related to 0026894 assignedvboctor Issue note files should show up within the notes in REST API 
related to 0027039 closeddregad CVE-2020-25781: Access to private bug note attachments 

Activities

vboctor

vboctor

2020-04-19 17:42

manager   ~0063858

@dregad and @atrol please review the change on the following branch:
https://github.com/vboctor/mantisbt/commits/attachments_api_fix

atrol

atrol

2020-04-20 02:01

developer   ~0063859

Had a very short look at it

These cases seem not to be fixed

  • {{url}}/api/rest/issues/:issue_id/files
  • {{url}}/api/rest/issues/:issue_id/files/:file_id
vboctor

vboctor

2020-04-20 02:43

manager   ~0063860

@atrol can you provide more details about the case you are tested and what you have seen?

I personally tested with an admin user and a reporter that can't see private attachments. I had attachments associated with the public issue and attachments associated with private note. The admin can see all. The reporter can see only issue attachments, but not note attachments.

Did you test with attachments that are linked to the notes in the DB, or ones that are associated at runtime? I didn't test the later, since these wouldn't be private, if they become private, they should be linked properly.

I will test again, but let me know you have tested or will find.

atrol

atrol

2020-04-20 17:22

developer   ~0063873

I personally tested with an admin user and a reporter that can't see private attachments.

same for me

attachments associated with private note

that's my test case

The reporter can see only issue attachments, but not note attachments.

that's what I see on "View Issue" page , but not when checking the JSON response via {{url}}/api/rest/issues/:issue_id/files in same browser tab

Did you test with attachments that are linked to the notes in the DB

Yes

vboctor

vboctor

2020-04-21 03:14

manager   ~0063874

@atrol I just test again and it seems to be working fine.

Can you check the value for the following configs:

  • view_attachments_threshold (default VIEWER)
  • private_bugnote_threshold (default DEVELOPER)
  • private notes are not submitted by the reporter you are testing with, since reporters can view their own private attachments.

If these are set as above, then it would be helpful if you can step through the code and see why it authorized in your environment, since only shows the right attachments in my environment.

atrol

atrol

2020-04-21 03:49

developer   ~0063875

@vboctor I checked everything you wrote before I wrote my first note, but I will check again.
Unfortunately I will not have time for it the next days.

atrol

atrol

2020-04-26 04:53

developer   ~0063915

@vboctor I tried on a complete fresh install, but was not able to reproduce.

It might somehow be related to option limit_view_unless_threshold I had stored in one of my test databases when trying this option weeks ago.
Unfortunately I changed this entry when testing other changes on "Workflow Tresholds" page.

I don't want to block your change any longer, as it's obviously better than it was before.

Related Changesets

MantisBT: master-2.24 f1f236f9

2020-04-19 17:36:47

vboctor

Details Diff
Fix attachments API access checks

- Fix attachment access checks for private attachments. (REST and SOAP)
- Include note attachments within notes (REST)

Fixes 0026893
Affected Issues
0026893
mod - api/soap/mc_issue_api.php Diff File
mod - core/file_api.php Diff File

MantisBT: master 4b436c4c

2020-04-19 17:36:47

vboctor

Details Diff
Fix attachments API access checks

- Fix attachment access checks for private attachments. (REST and SOAP)
- Include note attachments within notes (REST)

Fixes 0026893
Affected Issues
0026893
mod - api/soap/mc_issue_api.php Diff File
mod - core/file_api.php Diff File

Issue History

Date Modified Username Field Change
2020-04-19 17:39 vboctor New Issue
2020-04-19 17:39 vboctor Status new => assigned
2020-04-19 17:39 vboctor Assigned To => vboctor
2020-04-19 17:40 vboctor Description Updated View Revisions
2020-04-19 17:42 vboctor Note Added: 0063858
2020-04-19 17:48 vboctor Description Updated View Revisions
2020-04-20 01:46 atrol Relationship added related to 0026631
2020-04-20 01:56 vboctor Note View State: 0063858: private
2020-04-20 02:01 atrol Note Added: 0063859
2020-04-20 02:01 atrol Note View State: 0063859: private
2020-04-20 02:43 vboctor Note Added: 0063860
2020-04-20 17:22 atrol Note Added: 0063873
2020-04-21 03:14 vboctor Note Added: 0063874
2020-04-21 03:49 atrol Note Added: 0063875
2020-04-21 19:02 vboctor Relationship added related to 0026894
2020-04-26 04:53 atrol Note Added: 0063915
2020-05-03 03:35 vboctor Changeset attached => MantisBT master-2.24 f1f236f9
2020-05-03 03:35 vboctor Status assigned => resolved
2020-05-03 03:35 vboctor Resolution open => fixed
2020-05-03 03:35 vboctor Fixed in Version => 2.24.1
2020-05-03 04:34 vboctor Status resolved => closed
2020-05-03 04:35 vboctor View Status private => public
2020-05-03 04:38 vboctor Changeset attached => MantisBT master 4b436c4c
2020-06-16 16:57 atrol Relationship added related to 0027039
2020-09-09 04:09 dregad Note View State: 0063859: public
2020-09-09 04:09 dregad Note View State: 0063860: public
2020-09-09 04:09 dregad Note View State: 0063873: public
2020-09-09 04:09 dregad Note View State: 0063874: public
2020-09-09 04:09 dregad Note View State: 0063875: public
2020-09-09 04:09 dregad Note View State: 0063915: public
2020-09-09 04:09 dregad Note View State: 0063858: public