Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] RBAC with domain may have potential unxexpected behavior #221

Closed
Zxilly opened this issue May 20, 2021 · 12 comments · Fixed by #222
Closed

[Bug] RBAC with domain may have potential unxexpected behavior #221

Zxilly opened this issue May 20, 2021 · 12 comments · Fixed by #222
Assignees
@hsluoyz
Labels
enhancement New feature or request

Comments

@Zxilly
Copy link
Contributor

Zxilly commented May 20, 2021

https://github.com/casbin/casbin/blob/d8b8c3d1ad7fc2a9bf03d31955850acb1272f3e1/rbac/default-role-manager/role_manager.go#L489-L495

If we have a domain like name::domain, it may lead to unexpected behavior.

@closetool plz confirm this
@Zxilly Zxilly changed the title [Bug] RBAC with domain may have potential unxexpected behavior. [Bug] RBAC with domain may have potential unxexpected behavior May 20, 2021
@Zxilly
Copy link
Contributor Author

Zxilly commented May 20, 2021

We can change defaultSeparator to a rarely used unicode code. But change domainAndName to a structure might be a better choice.

@kilosonc
Copy link
Collaborator

@Zxilly Yep, we'll discuss about it.

@hsluoyz
Copy link
Member

hsluoyz commented May 22, 2021

@Zxilly in Casbin, the domain should never contain ::. It's reversed keyword. Like you cannot use for as a variable name in a programming language.

@ErikQQY can you add this naming convention to our docs?

@ErikQQY
Copy link
Member

ErikQQY commented May 22, 2021

@hsluoyz OK, I am working on it

@hsluoyz hsluoyz transferred this issue from casbin/casbin May 22, 2021
@hsluoyz hsluoyz added the enhancement New feature or request label May 22, 2021
@ErikQQY ErikQQY mentioned this issue May 22, 2021
Merged
@Zxilly
Copy link
Contributor Author

Zxilly commented May 30, 2021
edited
Loading

@hsluoyz I believed this is still a potential security problem.
For example, if we have a application use casbin and allow user to define their own domain. It should be user::customdomain in g list.
However, the attacker can create a custom domain admin::anotherdomain, which result to admin::anotherdomain::user in g list. The attacker will get permission from admin::anotherdomain.
We can warn our user to filter :: in domain. Or change domainAndName to a structure can resolve this.
Should we submit this to CVE?

@hsluoyz
Copy link
Member

hsluoyz commented May 31, 2021

@Zxilly If the user can define domain fields, then isn't he powerful enough to do anything else than just messing with the domain?

@Zxilly
Copy link
Contributor Author

Zxilly commented May 31, 2021

@hsluoyz like this issue casbin/casbin#493, specially constructed organazation name can lead to permission leakage.

@sagilio
Copy link
Member

sagilio commented Jun 5, 2021

@hsluoyz I think it is a potential problem too and we can avoid it with some changes.
Casbin.NET version does not have this problem. Because I use Map<domainName, Map<roleName, role>> structure like before and cached all roles and all domains list for pattern feature, it need not domainAndName.

@Zxilly Zxilly mentioned this issue Jun 15, 2021
Merged
@rrasulzade
Copy link

@hsluoyz, here documentation says we can use :: as a separator to distinguish role from user. I'm using the same separator for domains as well. Given the concern above, do I need to update my whole database to replace the separator with a different one? Thanks
https://github.com/casbin/casbin-website/blob/master/docs/RBAC.md#how-to-distinguish-role-from-user

@Zxilly
Copy link
Contributor Author

Zxilly commented Jul 15, 2021

@rrasulzade Which language of casbin do you use?

@rrasulzade
Copy link

Go

@Zxilly
Copy link
Contributor Author

Zxilly commented Jul 15, 2021

@closetool plz notice this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsluoyz hsluoyz

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: Add naming convention to docs
6 participants
@hsluoyz @rrasulzade @Zxilly @sagilio @ErikQQY @kilosonc