devol/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-02-08 07:38:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

ExportController: fix improper authorization vulnerability

Browse Source 
We fix the improper authorization by duplicating the check done by
the private method EntryController::checkUserAction().

We also replace the ParamConverter used to get the requested Entry with
an explicit call to EntryRepository in order to prevent a resource
enumeration through response discrepancy. Thus, we get the same
exception whether the requested resource does not exist or is not owned
by the requester.

Fixes GHSA-qwx8-mxxx-mg96

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
This commit is contained in:
Kevin Decherf 2023-01-12 23:40:16 +01:00
parent 9e9aedee94
commit 0fdd9aa991
2 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/Wallabag/CoreBundle/Controller/ExportController.php
View File

@ -6,7 +6,6 @@ use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\Routing\Annotation\Route;
use Wallabag\CoreBundle\Entity\Entry;
/** /**
* The try/catch can be removed once all formats will be implemented. * The try/catch can be removed once all formats will be implemented.
@ -26,9 +25,21 @@ class ExportController extends Controller
* *
* @return \Symfony\Component\HttpFoundation\Response * @return \Symfony\Component\HttpFoundation\Response
*/ */
public function downloadEntryAction(Entry $entry, $format) public function downloadEntryAction(Request $request, $format)
{ {
try { try {
$entry = $this->get('wallabag_core.entry_repository')
->find((int) $request->query->get('id'));
/**
* We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
*
* This should be eventually rewritten
*/
if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
throw new NotFoundHttpException();
}
return $this->get('wallabag_core.helper.entries_export') return $this->get('wallabag_core.helper.entries_export')
->setEntries($entry) ->setEntries($entry)
->updateTitle('entry') ->updateTitle('entry')

14
tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php
View File

@ -57,7 +57,7 @@ class ExportControllerTest extends WallabagCoreTestCase
$this->assertSame(404, $client->getResponse()->getStatusCode()); $this->assertSame(404, $client->getResponse()->getStatusCode());
} }
public function testBadEntryId() public function testNonExistingEntryId()
{ {
$this->logInAs('admin'); $this->logInAs('admin');
$client = $this->getClient(); $client = $this->getClient();
@ -67,6 +67,18 @@ class ExportControllerTest extends WallabagCoreTestCase
$this->assertSame(404, $client->getResponse()->getStatusCode()); $this->assertSame(404, $client->getResponse()->getStatusCode());
} }
public function testForbiddenEntryId()
{
$this->logInAs('admin');
$client = $this->getClient();
// Entry with id 3 is owned by the user bob
// See EntryFixtures
$client->request('GET', '/export/3.mobi');
$this->assertSame(404, $client->getResponse()->getStatusCode());
}
public function testEpubExport() public function testEpubExport()
{ {
$this->logInAs('admin'); $this->logInAs('admin');