search

axelor / axelor-open-platform

Open source Java framework for business application development
http://axelor.com
Other
393 stars 299 forks source link

MetaFile security issue #52

Open CITIZENGATE opened 5 years ago

CITIZENGATE commented 5 years ago

Dear Team,

I just want to talk about the MetaFile which has a big operational security issue.

If a user has the read permission to the MetaFile domain, which is required if he need to see the picture for a partner, this user can download any DMS file using the REST WebService even if he do not have the permission to access to the DMS File.

Why ? just because a simple loop on ws/rest/com.axelor.meta.db.MetaFile/{i}/content/download will download all documents.

To solve this issue, the more quick and dirty way is to introduce an UUID for each metafile and to use this UUID for download instead of the ID. In that way, without knowing the UUID it will be not possible to download it.

Another way was to keep the MetaFile for picture (image only) and to introduce a new model (eg. DmsMetaFile). Now, an explicit permission could be apply to this model ad fix this security issue.

Best Regards

axeloradmin commented 5 years ago

Yes, it's not easy to fix. We will consider your idea of using uuid for download. Thanks for reporting the issue.