View Issue Details

IDProjectCategoryView StatusLast Update
0026893mantisbtsecuritypublic2020-06-16 16:57
Reportervboctor Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.24.0 
Target Version2.24.1Fixed in Version2.24.1 
Summary0026893: APIs expose private attachments to users who has access to issue but not private notes
Description

This applies to both SOAP and REST API.

Impacted REST APIs:

  • {{url}}/api/rest/issues/:issue_id
  • {{url}}/api/rest/issues/:issue_id/files
  • {{url}}/api/rest/issues/:issue_id/files/:file_id

Note that the UI enforced access checks correctly since the attachments were grouped with the private notes and the private notes were not rendered.

TagsNo tags attached.

Relationships

related to 0026631 closedvboctor file_get_visible_attachments shows private files that should be invisible to the user 
related to 0026894 assignedvboctor Issue note files should show up within the notes in REST API 
related to 0027039 closeddregad CVE-2020-25781: Access to private bug note attachments 

Activities

vboctor

vboctor

2020-04-19 17:42

manager   ~0063858

@dregad and @atrol please review the change on the following branch:
https://github.com/vboctor/mantisbt/commits/attachments_api_fix

atrol

atrol

2020-04-20 02:01

developer   ~0063859

Had a very short look at it

These cases seem not to be fixed

  • {{url}}/api/rest/issues/:issue_id/files
  • {{url}}/api/rest/issues/:issue_id/files/:file_id
vboctor

vboctor

2020-04-20 02:43

manager   ~0063860

@atrol can you provide more details about the case you are tested and what you have seen?

I personally tested with an admin user and a reporter that can't see private attachments. I had attachments associated with the public issue and attachments associated with private note. The admin can see all. The reporter can see only issue attachments, but not note attachments.

Did you test with attachments that are linked to the notes in the DB, or ones that are associated at runtime? I didn't test the later, since these wouldn't be private, if they become private, they should be linked properly.

I will test again, but let me know you have tested or will find.

atrol

atrol

2020-04-20 17:22

developer   ~0063873

I personally tested with an admin user and a reporter that can't see private attachments.

same for me

attachments associated with private note

that's my test case

The reporter can see only issue attachments, but not note attachments.

that's what I see on "View Issue" page , but not when checking the JSON response via {{url}}/api/rest/issues/:issue_id/files in same browser tab

Did you test with attachments that are linked to the notes in the DB

Yes

vboctor

vboctor

2020-04-21 03:14

manager   ~0063874

@atrol I just test again and it seems to be working fine.

Can you check the value for the following configs:

  • view_attachments_threshold (default VIEWER)
  • private_bugnote_threshold (default DEVELOPER)
  • private notes are not submitted by the reporter you are testing with, since reporters can view their own private attachments.

If these are set as above, then it would be helpful if you can step through the code and see why it authorized in your environment, since only shows the right attachments in my environment.

atrol

atrol

2020-04-21 03:49

developer   ~0063875

@vboctor I checked everything you wrote before I wrote my first note, but I will check again.
Unfortunately I will not have time for it the next days.

atrol

atrol

2020-04-26 04:53

developer   ~0063915

@vboctor I tried on a complete fresh install, but was not able to reproduce.

It might somehow be related to option limit_view_unless_threshold I had stored in one of my test databases when trying this option weeks ago.
Unfortunately I changed this entry when testing other changes on "Workflow Tresholds" page.

I don't want to block your change any longer, as it's obviously better than it was before.

Related Changesets

MantisBT: master-2.24 f1f236f9

2020-04-19 13:36

vboctor


Details Diff
Fix attachments API access checks

- Fix attachment access checks for private attachments. (REST and SOAP)
- Include note attachments within notes (REST)

Fixes 0026893
Affected Issues
0026893
mod - api/soap/mc_issue_api.php Diff File
mod - core/file_api.php Diff File

MantisBT: master 4b436c4c

2020-04-19 13:36

vboctor


Details Diff
Fix attachments API access checks

- Fix attachment access checks for private attachments. (REST and SOAP)
- Include note attachments within notes (REST)

Fixes 0026893
Affected Issues
0026893
mod - api/soap/mc_issue_api.php Diff File
mod - core/file_api.php Diff File