Skip to content

test: in and contains are dangerous#84

Merged
schmichael merged 1 commit into
mainfrom
test-in
Jan 9, 2025
Merged

test: in and contains are dangerous#84
schmichael merged 1 commit into
mainfrom
test-in

Conversation

@schmichael
Copy link
Copy Markdown
Member

@schmichael schmichael commented Dec 18, 2024
edited
Loading

Workaround

This is precisely why products like Consul and Nomad allow for mapping scalar and list claims separately.

In the example below, Consul and Nomad users would map the Role claim with something like:

  "ClaimMappings": {
    "http://example.com/role": "role"
  },
  "ListClaimMappings": {
    "http://nomad.com/role": "role_list"
  }

And then use a selector like the following to differentiate between the scalar and list versions of Role:

(role == admin) or (admin in role_list)

Implementations of bexpr used for authz or other security sensitive operations based on user supplied data must map that data to statically typed fields as above to avoid privilege escalations.

I think it's probably worth merging this test to hopefully make this behavior a tiny bit more obvious.

Original Description

The in and contains operators work on multiple data types: strings (as a substring test) and containers (as a membership test).

Unfortunately it has been observed that some authorization servers will mix types in their responses which are processed by bexpr in auth binding rules.

For example an authorization server may return either:

{"Name": "Alice", "Role": "db_admin"}
{"Name": "Bob",   "Role": ["admin", "foo"]}

A binding rule attempting to match on the admin role would be written as:

admin in Role
Role contains admin

Unfortunately these bexpr expressions will match both Alice and Bob due to substring matching.

@schmichael
test: in and contains are dangerous
b366ded 
The `in` and `contains` operators work on multiple data types: strings
(as a substring test) and containers (as a membership test).

Unfortunately it has been observed that some authorization servers will
mix types in their responses which are processed by bexpr in auth
binding rules.

For example an authorization server may return either:

```
{"Name": "Alice", "Role": "db_admin"}
{"Name": "Bob",   "Role": ["admin", "foo"]}
```

A binding rule attempting to match on the `admin` role would be written
as:

```
admin in Role
Role contains admin
```

Unfortunately these bexpr expressions will match *both* Alice and Bob
due to substring matching.
@schmichael schmichael requested a review from mkeeler December 18, 2024 18:27
@schmichael schmichael requested a review from a team as a code owner December 18, 2024 18:27
mukeshjc
mukeshjc approved these changes Jan 9, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mukeshjc mukeshjc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@schmichael schmichael merged commit 7126c55 into main Jan 9, 2025
@schmichael schmichael deleted the test-in branch January 9, 2025 17:07
@campaigner-prod campaigner-prod Bot mentioned this pull request Apr 23, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkeeler mkeeler mkeeler approved these changes

@jrasell jrasell jrasell approved these changes

+1 more reviewer

@mukeshjc mukeshjc mukeshjc approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@schmichael @mkeeler @jrasell @mukeshjc