Project

General

Profile

Actions

Defect #37171

closed

Ability to change the issue category or issue target version with nonexistent value for the specific project

Added by Nikola Milanov almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Hi there,
I found a way to change category with nonexistent ID for the specific project.
I will try to explain it in more details (the user making the change has access to the project)
1. User start editing the ticket (click "Edit" button)
2. Right click on Category field and choose "Inspect" (Developer's tool)
3. Then we change the value of the category to one that is not in the project
4. Click "Submit" button and we save the ID of category that not exist for the specific folder.

Is there any way to make to verify that this category is in the project to avoid this kind of changes?

Cheers


Files

Actions #1

Updated by Mischa The Evil almost 2 years ago

  • Subject changed from Ability to change the category with nonexistent for the specific project to Ability to change the issue category with nonexistent value for the specific project
  • Category changed from Issues to Security
  • Status changed from New to Confirmed
  • Priority changed from Normal to High
  • Private changed from No to Yes

Nikola Stojiljkovic Milanov: Thanks for reporting this issue.

I was able to reproduce the reported behavior using the provided steps on an old 4.2-stable (Rails 5.x) playground. I think this affects current trunk (Rails 6.x) too, but I haven't actually tested this.

I currently don't know for sure how pervasive this behavior is in that it might extend to other fields and/or modules, but this should nevertheless be properly investigated and acted upon given the potential security implications of this issue (issue and (custom) field visibility, workflows, assignees, API-request behavior, etc.).

Given all the above I'll:
  • set the issue to private;
  • set the issue priority to High;
  • set the issue category to Security; and
  • add Go, Holger and Marius as watchers.

@Go, holger mareck, Marius Ionescu: Can you'll have a look into this matter?

Actions #2

Updated by Holger Just almost 2 years ago

  • Assignee set to Holger Just

I'll have a look later today.

Actions #3

Updated by Holger Just almost 2 years ago

Attached, there are two patches to improve the validations:

  • 0001-Validate-category_id-against-available-categories-in.patch added the validation for the category_id to ensure that the given category is valid within the issue's project.
  • 0002-Validate-fixed_version_id-to-ensure-that-a-version-w.patch improves the validation of the fixed_version_id to ensure that no invalid version (that is: one that does not exist at all) can be given.

I think all of the other fields are fine since they either reference global data (project, tracker, assigned_to, author, status) and/or are correctly checked already.

Marius or Maeda-san, could either of you check those patches and merge them? They should cleanly apply to the current trunk, 5.0-stable and 4.2-stable. I'm assigning the issue to Marius, please feel free to re-assign as necessary.

Actions #4

Updated by Marius BĂLTEANU almost 2 years ago

  • Status changed from Confirmed to Resolved
  • Target version set to 4.2.7
  • Resolution set to Fixed

Thanks, I've committed both patches and I'm going to merge them to the stable branches once the tests pass.

Actions #5

Updated by Marius BĂLTEANU almost 2 years ago

  • Subject changed from Ability to change the issue category with nonexistent value for the specific project to Ability to change the issue category or issue target version with nonexistent value for the specific project
  • Status changed from Resolved to Closed

Merged to stable branches.

Actions #6

Updated by Marius BĂLTEANU almost 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF