From 0d1d510309a0539165aa4422f0f9a1aea0295244 Mon Sep 17 00:00:00 2001 From: Alberto Espinoza Date: Wed, 4 Dec 2024 12:23:56 -0600 Subject: [PATCH 1/2] R2-3138 - Security - Fix user escalation of privilege --- app/models/user.rb | 2 +- spec/models/user_spec.rb | 29 +++++++++++++++++++ spec/requests/api/v2/users_controller_spec.rb | 2 ++ 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/app/models/user.rb b/app/models/user.rb index b058b6d27f..e1e2dd811e 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -128,7 +128,7 @@ def hidden_attributes end def self_hidden_attributes - %w[role_unique_id identity_provider_unique_id user_name] + %w[role_unique_id identity_provider_unique_id user_name user_group_unique_ids agency_id] end def password_parameters diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index b14c202b12..19c3883706 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -1056,6 +1056,35 @@ def build_and_save_user(options = {}) end end + describe '.permitted_api_params' do + before do + clean_data(User, Role, PrimeroModule, PrimeroProgram, FormSection, Agency, UserGroup, Child) + @module_cp = PrimeroModule.new(name: 'CP') + @module_cp.save(validate: false) + + permission_case = Permission.new( + resource: Permission::CASE, + actions: [Permission::READ, Permission::WRITE, Permission::CREATE] + ) + @role = Role.new(permissions: [permission_case], modules: [@module_cp]) + @role.save(validate: false) + @group1 = UserGroup.create!(name: 'Group1') + @user1 = User.new(user_name: 'user1', role: @role, user_groups: [@group1]) + @user1.save(validate: false) + end + context 'when user is not admin' do + it 'should not returm that are not allowed' do + expect(User.permitted_api_params(@user1, @user1)).not_to include( + 'role_unique_id', 'role_id', 'user_group_unique_ids', 'agency_id' + ) + end + end + + after do + clean_data(User, Role, PrimeroModule, PrimeroProgram, FormSection, Agency, UserGroup, Child) + end + end + after do clean_data(Alert, User, Agency, Role, FormSection, Field) end diff --git a/spec/requests/api/v2/users_controller_spec.rb b/spec/requests/api/v2/users_controller_spec.rb index 6d64deeee0..977d7a2279 100644 --- a/spec/requests/api/v2/users_controller_spec.rb +++ b/spec/requests/api/v2/users_controller_spec.rb @@ -733,6 +733,7 @@ data: { role_unique_id: 'test-role-1', identity_provider_unique_id: 'primeroims_2', + agency_id: @agency_a.id, user_name: } } @@ -744,6 +745,7 @@ expect(response).to have_http_status(200) expect(json['data']['id']).to eq(@user_d.id) expect(@user_d.role.unique_id).to eq(@role_manage_user.unique_id) + expect(@user_d.agency.unique_id).to eq(@agency_b.unique_id) expect(@user_d.user_name).not_to eq(user_name) expect(@user_d.identity_provider.unique_id).to eq(@identity_provider_a.unique_id) end From aaede4d815e2ddcf71b4cf0880c3434efb065bab Mon Sep 17 00:00:00 2001 From: Alberto Espinoza Date: Wed, 4 Dec 2024 14:20:33 -0600 Subject: [PATCH 2/2] R2-3138 Adding more hidden attributes --- app/models/user.rb | 4 +++- spec/models/user_spec.rb | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/models/user.rb b/app/models/user.rb index e1e2dd811e..b5c5361844 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -128,7 +128,9 @@ def hidden_attributes end def self_hidden_attributes - %w[role_unique_id identity_provider_unique_id user_name user_group_unique_ids agency_id] + %w[role_unique_id identity_provider_unique_id user_name user_group_unique_ids agency_id + identity_provider_id reset_password_token reset_password_sent_at service_account + unlock_token locked_at failed_attempts identity_provider_sync] end def password_parameters diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 19c3883706..0d68de420d 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -1075,7 +1075,7 @@ def build_and_save_user(options = {}) context 'when user is not admin' do it 'should not returm that are not allowed' do expect(User.permitted_api_params(@user1, @user1)).not_to include( - 'role_unique_id', 'role_id', 'user_group_unique_ids', 'agency_id' + *User.self_hidden_attributes ) end end