You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Wordit <wo...@gmail.com> on 2012/08/29 20:28:14 UTC
Possible validation security issue
I may have stumbled upon a security issue in validation functions.
Maybe somebody else can try to confirm this. I've been using the
validation function mentioned several times in the user guide:
function (newDoc, oldDoc, userCtx) {
if (newDoc.author) {
if(newDoc.author != userCtx.name) {
throw({"forbidden": "You may only update documents with author " +
userCtx.name});
}
}
}
A user who is *not* newDoc.author will be prevented from updating the
document when editing. So far so good. However, to get around security
and edit the document, a user who is not author, only has to change
the author field to their name. Voila, they can now edit all other
fields. Works in Futon in two steps, from Curl in one step.
I've been testing this on iriscouch.com, so it's the currently hosted
version I'm referring to. I first noticed using curl. Something like
this:
db has two fields.
author: usera
text: my wonderful text
The goal is to change field "text" as another user, e.g. "userb".
userb just has to update the author field from usera to userb:
curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
'{"_rev":"3-456","author":"userb"}' -H "Content-type:
application/json"
couch returns new _rev:4-567
Now the document belongs to userb, the text field can be updated.
curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
'{"_rev":"4-567","author":"userb", "text":"gottcha"}' -H
"Content-type: application/json"
Actually, it worked in one go for me to just overwrite the author
field and change other fields. It didn't require two steps in Curl.
Shouldn't couchdb prevent the author field from being updated? It
seems this only works with the name of the currently authenticated
user. You cannot enter just anything into the author field.
Can anyone confirm, and if this is correct, how can the document be secured?
Thanks,
Marcus
Re: Possible validation security issue
Posted by Paul Davis <pa...@gmail.com>.
Check against oldDoc instead of newDoc?
On Wed, Aug 29, 2012 at 1:28 PM, Wordit <wo...@gmail.com> wrote:
> I may have stumbled upon a security issue in validation functions.
> Maybe somebody else can try to confirm this. I've been using the
> validation function mentioned several times in the user guide:
>
> function (newDoc, oldDoc, userCtx) {
> if (newDoc.author) {
> if(newDoc.author != userCtx.name) {
> throw({"forbidden": "You may only update documents with author " +
> userCtx.name});
> }
> }
> }
>
> A user who is *not* newDoc.author will be prevented from updating the
> document when editing. So far so good. However, to get around security
> and edit the document, a user who is not author, only has to change
> the author field to their name. Voila, they can now edit all other
> fields. Works in Futon in two steps, from Curl in one step.
>
> I've been testing this on iriscouch.com, so it's the currently hosted
> version I'm referring to. I first noticed using curl. Something like
> this:
>
> db has two fields.
> author: usera
> text: my wonderful text
>
> The goal is to change field "text" as another user, e.g. "userb".
> userb just has to update the author field from usera to userb:
>
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"3-456","author":"userb"}' -H "Content-type:
> application/json"
>
> couch returns new _rev:4-567
>
> Now the document belongs to userb, the text field can be updated.
>
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"4-567","author":"userb", "text":"gottcha"}' -H
> "Content-type: application/json"
>
> Actually, it worked in one go for me to just overwrite the author
> field and change other fields. It didn't require two steps in Curl.
>
> Shouldn't couchdb prevent the author field from being updated? It
> seems this only works with the name of the currently authenticated
> user. You cannot enter just anything into the author field.
>
> Can anyone confirm, and if this is correct, how can the document be secured?
>
> Thanks,
>
> Marcus
Re: Possible validation security issue
Posted by Robert Newson <rn...@apache.org>.
I'm really struggling to believe that many people would read this code;
function (newDoc, oldDoc, userCtx) {
if (newDoc.author) {
if(newDoc.author != userCtx.name) {
throw({"forbidden": "You may only update documents with author " +
userCtx.name});
}
}
}
and think it prevented the changing of the author field. That code simply isn't there, couchdb isn't magically adding the code you didn't write.
B.
On 30 Aug 2012, at 22:33, Tim Tisdall wrote:
> ^_^ I'm fairly new to couchdb, too. I only figured that out because
> I saw on the page you linked to that it referred to a previous chapter
> and I went to it to see if there was any clarification or if the code
> was the same. It probably should be tweaked a bit so it's a little
> more clear what the chunk of code is intended to do.
>
> You should post something in the issues tracker and see if they'll change it...
>
> -Tim
>
> On Thu, Aug 30, 2012 at 5:09 PM, Wordit <wo...@gmail.com> wrote:
>> On Wed, Aug 29, 2012 at 10:32 PM, Tim Tisdall <ti...@gmail.com> wrote:
>>>
>>> I think that chunk of code is to ensure that when someone saves a
>>> change to a document that they also have to sign it with their own
>>> user name.
>>
>> That would certainly make sense for a wiki application, but I think
>> it's unclear because "author" is not defined. Is it the current user
>> editing the document, or the previous user who edited the document?
>>
>> The example is misleading to people learning couchDB. In my case, I'm
>> re-visiting couchDB after 20 months not using it and had forgotten
>> about how oldDoc/newDoc works. I found the same code example referring
>> to the definitive guide in another post, possibly in a different
>> forum. The poster had the same expectation I did and the people
>> replying did not correct or change that expectation.
>>
>> When you have more in-depth knowledge of how couchDB works it all
>> seems obvious, I'm sure. You probably wonder how anyone could possibly
>> misunderstand.
>>
>>
>> Marcus
Re: Possible validation security issue
Posted by Tim Tisdall <ti...@gmail.com>.
^_^ I'm fairly new to couchdb, too. I only figured that out because
I saw on the page you linked to that it referred to a previous chapter
and I went to it to see if there was any clarification or if the code
was the same. It probably should be tweaked a bit so it's a little
more clear what the chunk of code is intended to do.
You should post something in the issues tracker and see if they'll change it...
-Tim
On Thu, Aug 30, 2012 at 5:09 PM, Wordit <wo...@gmail.com> wrote:
> On Wed, Aug 29, 2012 at 10:32 PM, Tim Tisdall <ti...@gmail.com> wrote:
>>
>> I think that chunk of code is to ensure that when someone saves a
>> change to a document that they also have to sign it with their own
>> user name.
>
> That would certainly make sense for a wiki application, but I think
> it's unclear because "author" is not defined. Is it the current user
> editing the document, or the previous user who edited the document?
>
> The example is misleading to people learning couchDB. In my case, I'm
> re-visiting couchDB after 20 months not using it and had forgotten
> about how oldDoc/newDoc works. I found the same code example referring
> to the definitive guide in another post, possibly in a different
> forum. The poster had the same expectation I did and the people
> replying did not correct or change that expectation.
>
> When you have more in-depth knowledge of how couchDB works it all
> seems obvious, I'm sure. You probably wonder how anyone could possibly
> misunderstand.
>
>
> Marcus
Re: Possible validation security issue
Posted by Wordit <wo...@gmail.com>.
On Wed, Aug 29, 2012 at 10:32 PM, Tim Tisdall <ti...@gmail.com> wrote:
>
> I think that chunk of code is to ensure that when someone saves a
> change to a document that they also have to sign it with their own
> user name.
That would certainly make sense for a wiki application, but I think
it's unclear because "author" is not defined. Is it the current user
editing the document, or the previous user who edited the document?
The example is misleading to people learning couchDB. In my case, I'm
re-visiting couchDB after 20 months not using it and had forgotten
about how oldDoc/newDoc works. I found the same code example referring
to the definitive guide in another post, possibly in a different
forum. The poster had the same expectation I did and the people
replying did not correct or change that expectation.
When you have more in-depth knowledge of how couchDB works it all
seems obvious, I'm sure. You probably wonder how anyone could possibly
misunderstand.
Marcus
Re: Possible validation security issue
Posted by Tim Tisdall <ti...@gmail.com>.
okay.. seems I hit "send" to quickly... read this section:
http://guide.couchdb.org/draft/validation.html#authorship
I think that chunk of code is to ensure that when someone saves a
change to a document that they also have to sign it with their own
user name. So, changing the user name in the document isn't a way to
circumvent the security, it's something that the validator is
enforcing so the document always has the author of the last person to
edit it.
So, not a bug in the document, just a misunderstanding of the
intention of the code...
-Tim
On Wed, Aug 29, 2012 at 4:25 PM, Tim Tisdall <ti...@gmail.com> wrote:
> I think it should probably be looking at the oldDoc like Paul said.
> Then it should be preventing all editing unless the current user is
> the one in the doc (including changing the author).
>
> On the top of the couchdb definitive guide page you sent there's a
> link that says "report issue"... I'm pretty sure you found a problem
> in the code. I also didn't see an existing issue in the issue tracker
> about it.
>
> On Wed, Aug 29, 2012 at 3:01 PM, Wordit <wo...@gmail.com> wrote:
>> The function I used is from the "CouchDB Definitive Guide". It's in
>> both the security and validation sections.
>>
>> http://guide.couchdb.org/draft/security.html
>>
>> "We had an update validation function that allowed us to verify that
>> the claimed author of a document matched the authenticated username."
>>
>> Is the guide outdated, is it an error in the guide, or did I
>> misunderstand what it is to be used for? Or all three perhaps?
>>
>>
>> That aside, why does the function prevent updating all fields except
>> the author field when that is the one in the validation function? What
>> am I missing in couchdb's logic?
>>
>> Marcus
Re: Possible validation security issue
Posted by Tim Tisdall <ti...@gmail.com>.
I think it should probably be looking at the oldDoc like Paul said.
Then it should be preventing all editing unless the current user is
the one in the doc (including changing the author).
On the top of the couchdb definitive guide page you sent there's a
link that says "report issue"... I'm pretty sure you found a problem
in the code. I also didn't see an existing issue in the issue tracker
about it.
On Wed, Aug 29, 2012 at 3:01 PM, Wordit <wo...@gmail.com> wrote:
> The function I used is from the "CouchDB Definitive Guide". It's in
> both the security and validation sections.
>
> http://guide.couchdb.org/draft/security.html
>
> "We had an update validation function that allowed us to verify that
> the claimed author of a document matched the authenticated username."
>
> Is the guide outdated, is it an error in the guide, or did I
> misunderstand what it is to be used for? Or all three perhaps?
>
>
> That aside, why does the function prevent updating all fields except
> the author field when that is the one in the validation function? What
> am I missing in couchdb's logic?
>
> Marcus
Re: Possible validation security issue
Posted by Wordit <wo...@gmail.com>.
The function I used is from the "CouchDB Definitive Guide". It's in
both the security and validation sections.
http://guide.couchdb.org/draft/security.html
"We had an update validation function that allowed us to verify that
the claimed author of a document matched the authenticated username."
Is the guide outdated, is it an error in the guide, or did I
misunderstand what it is to be used for? Or all three perhaps?
That aside, why does the function prevent updating all fields except
the author field when that is the one in the validation function? What
am I missing in couchdb's logic?
Marcus
Re: Possible validation security issue
Posted by Robert Newson <rn...@apache.org>.
Firstly, security issues (even suspected ones) should not be posted to a public mailing list (use security@couchdb.apache.org)
Secondly, you ask "Shouldn't couchdb prevent the author field from being updated?"
The answer, of course is, "Yes, if a validate_doc_update function prevents it". Yours doesn't but should.
B.
On 29 Aug 2012, at 19:28, Wordit wrote:
> I may have stumbled upon a security issue in validation functions.
> Maybe somebody else can try to confirm this. I've been using the
> validation function mentioned several times in the user guide:
>
> function (newDoc, oldDoc, userCtx) {
> if (newDoc.author) {
> if(newDoc.author != userCtx.name) {
> throw({"forbidden": "You may only update documents with author " +
> userCtx.name});
> }
> }
> }
>
> A user who is *not* newDoc.author will be prevented from updating the
> document when editing. So far so good. However, to get around security
> and edit the document, a user who is not author, only has to change
> the author field to their name. Voila, they can now edit all other
> fields. Works in Futon in two steps, from Curl in one step.
>
> I've been testing this on iriscouch.com, so it's the currently hosted
> version I'm referring to. I first noticed using curl. Something like
> this:
>
> db has two fields.
> author: usera
> text: my wonderful text
>
> The goal is to change field "text" as another user, e.g. "userb".
> userb just has to update the author field from usera to userb:
>
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"3-456","author":"userb"}' -H "Content-type:
> application/json"
>
> couch returns new _rev:4-567
>
> Now the document belongs to userb, the text field can be updated.
>
> curl -X PUT http://userb:passw@example.iriscouch.com:5984/db/123 -d
> '{"_rev":"4-567","author":"userb", "text":"gottcha"}' -H
> "Content-type: application/json"
>
> Actually, it worked in one go for me to just overwrite the author
> field and change other fields. It didn't require two steps in Curl.
>
> Shouldn't couchdb prevent the author field from being updated? It
> seems this only works with the name of the currently authenticated
> user. You cannot enter just anything into the author field.
>
> Can anyone confirm, and if this is correct, how can the document be secured?
>
> Thanks,
>
> Marcus