search

OCA / server-auth

https://odoo-community.org/psc-teams/tools-30
GNU Affero General Public License v3.0
150 stars 403 forks source link

Vulnerability in users_ldap_groups allows arbitrary LDAP queries via JSON RPC API #617

Closed oh2fih closed 3 months ago

oh2fih commented 6 months ago

Module

users_ldap_groups

Describe the bug

Model res.company.ldap.operator operators should be private methods; public methods allow arbitrary LDAP queries via JSON RPC API.

To Reproduce

Affected versions: all

Steps to reproduce the behavior:

Send POST /web/dataset/call_kw/res.company.ldap.operator/query HTTP/1.1, e.g., with data {"id":5,"jsonrpc":"1.0","method":"call","params":{"model":"res.company.ldap.operator","method":"query","args":["","",""],"kwargs":{}}}

Expected behavior Methods should not be available via JSON RPC API but only from other Python classes.

Additional context See https://www.odoo.com/documentation/17.0/developer/reference/backend/security.html#unsafe-public-methods

Attempted fix A possible fix for this vulnerability is now in https://github.com/OCA/server-auth/pull/659 (https://github.com/OCA/server-auth/pull/659/commits/62d064f07f4a1d87fb949d1ff6dad9df6139cedd).

oh2fih commented 3 months ago

This project seems to be maintained with inadequate resources. Could @gurneyalex as the OCA Representative of this project take a look at this vulnerability and the fix in #596. This has now been publicly available for three months. Thanks!

rvalyi commented 3 months ago

Hello, I just approved and commented on your PR.