Hi, I think I might have found a bug (unless I'm missing something).
Some failing tests to demonstrate the bug can be found here. See // TODO fails.
Essentially, let there be two Data-assets named X and Y. Also let X.containedData = {Y}. Then we have that: X.identityRead implies Y.write -- which I think is a bug.
I think the problem is the edge readContainedDataAndInformation -> containedData.attemptAccess, but I'm not sure. Most likely the read-flow through Data needs to be split up into multiple flows such that the privileges of X are correctly passed on to Y. Right now the privilege information gets lost along the way since all read-flows pass through X.read.
There is a related issue with the use of Data.authenticated defense. If X.authenticated but not Y.authenticated then the attacker (at X.attemptAccess) can reach X.read but not X.write (as expected). However, because the attacker can reach X.read they can also reach Y.write -- which I think is a bug. I was expecting the X.authenticated defense to also protect Y when the attacker is accessing Y through X.
Hi, I think I might have found a bug (unless I'm missing something).
Some failing tests to demonstrate the bug can be found here. See
// TODO fails
.Essentially, let there be two
Data
-assets namedX
andY
. Also letX.containedData = {Y}
. Then we have that:X.identityRead
impliesY.write
-- which I think is a bug.I think the problem is the edge
readContainedDataAndInformation -> containedData.attemptAccess
, but I'm not sure. Most likely the read-flow throughData
needs to be split up into multiple flows such that the privileges ofX
are correctly passed on toY
. Right now the privilege information gets lost along the way since all read-flows pass throughX.read
.There is a related issue with the use of
Data.authenticated
defense. IfX.authenticated
but notY.authenticated
then the attacker (atX.attemptAccess
) can reachX.read
but notX.write
(as expected). However, because the attacker can reachX.read
they can also reachY.write
-- which I think is a bug. I was expecting theX.authenticated
defense to also protectY
when the attacker is accessingY
throughX
.