Telokis
commented
5 years ago For the specific security concern I mentionned above, I choose this approach:
- Both
allow_accessandallow_publishuse a methodallow_actionwith different arguments. - Added the special
$owned-grouppermission that ensures the package is properly accessible by the user on Gitlab. This is the default behavior ofallow_publishin the current code. - Added handling of
$authenticatedproperly: it can explicitly be set and, if found, will simply ensureuser.name !== undefined. This is the default behavior foraccesspermission. (But I don't like thataccessandpublishhave different permissions, it may make more sense to let both be$owned-groupbut I didn't want to change the behavior too much). - Added handling of
BUILTIN_ACCESS_LEVEL_ANONYMOUSfor all actions. There is no reason a user shouldn't be able to config its Verdaccio so anyone can do anything for a specific action. - Added dynamic and complete error message mentionning the potential reasons why the access was refused.
The new code can be found here.
bufferoverflow
I am currently trying to implement #99 and noticed that anybody can access any package as long as they are authenticated through Gitlab. (https://github.com/bufferoverflow/verdaccio-gitlab/blob/v2.2.0/src/gitlab.js#L158)
From what I understand, to check whether the user is allowed to access a package or not, we only check if its user is set.
There is no verification made to ensure the user is accessing a scope he owns or that he has the proper access rights.
I am currently working on #99 so I could tackle this issue as well, I think. We just have to properly discuss the approach to solve it.
Here is what I planned to do to solve #99:
allowAnyScope. This tells the plugin that accessing a non-owned scope might be allowed.allowAnyScopeis true, we don't fail whenpackagePermitis false. Instead, we retrieve_package.publishand check if its value is withinuser.real_groups.Doing this was easy but I didn't expect to be able to see/access my published package. That's how I found the security concern.
Proposed solution:
I think the behavior for
allow_accessshould follow the same pattern asallow_publish: If the user doesn't have access to the group/project, it cannot access the packages within that scope.