search

ajepe / odoo-addons

Odoo addons
24 stars 40 forks source link

Critical vulnerability with put API #24

Closed loctv closed 3 years ago

loctv commented 3 years ago

Addon restful has an crritical issue:

@validate_token
    @http.route(_routes, type="http", auth="none", methods=["PUT"], csrf=False)
    def put(self, model=None, id=None, **payload):
        """."""
        payload = payload.get('payload', {})
        try:
            _id = int(id)
        except Exception as e:
            return invalid_response("invalid object id", "invalid literal %s for id with base " % id)
        _model = request.env[self._model].sudo().search([("model", "=", model)], limit=1)
        if not _model:
            return invalid_response(
                "invalid object model", "The model %s is not available in the registry." % model, 404,
            )
        try:
            record = request.env[_model.model].sudo().browse(_id)
            record.write(payload)
        except Exception as e:
            request.env.cr.rollback()
            return invalid_response("exception", e.name)
        else:
            return valid_response(record.read())

Attacker can make a privilege escalation attack by put anything with sudo() to update res.users, res.groups

ajepe commented 3 years ago

Do you have a proof of the assertion made above? If you can proof a possible attack, pull request will be appreciated from you instead of misleading the community about false claim.

Pending that time I am closing this issue.

Thanks