Closed kiraum closed 1 month ago
@kiraum are you sure this is NetBox 4.0.3? This sounds like #16228 which was in NetBox 4.0.2 but fixed in 4.0.3
@arthanson, I was running 4.0.2, but pulled new image, and via API/UI, I do see version 4.0.3:
unit@45f666ac0bd0:/opt/netbox$ head -3 docs/release-notes/version-4.0.md
# NetBox v4.0
## v4.0.3 (2024-05-22)
docker image inspect f876940be42f | jq -r '.[].Config.Labels."netbox.git-ref"'
3f345cdbee016243ab5162456ea5415472a2f2df
https://github.com/netbox-community/netbox/commit/3f345cdbee016243ab5162456ea5415472a2f2df
Should I rely on those versions or do we have a better (more reliable) way to check it?
I've destroyed the environment, and recreated to see if there wasn't left overs from the old build, but still the same.
I just tested this. I am not able to reproduce.
Please provide more comprehensive steps including what objects to create for testing against (I see you are querying ASN's but I don't see how to create that ASN specifically)
@DanSheps , thanks for checking, follow the step by step:
» git clone git@github.com:netbox-community/netbox-docker.git
» cd netbox-docker
» tee docker-compose.override.yml <<EOF
services:
netbox:
ports:
- 8000:8080
EOF
services:
netbox:
ports:
- 8000:8080
» vi docker-compose.yml
» git diff
diff --git a/docker-compose.yml b/docker-compose.yml
index 958561f..afc6905 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,6 @@
services:
netbox: &netbox
- image: docker.io/netboxcommunity/netbox:${VERSION-v4.0-2.9.1}
+ image: docker.io/netboxcommunity/netbox:${VERSION-v4.0.3-2.9.1}
depends_on:
- postgres
- redis
» docker-compose pull
» docker-compose up -d
» docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
netboxcommunity/netbox v4.0.3-2.9.1 f876940be42f 3 days ago 707MB
redis 7-alpine cdb453bbf446 4 days ago 42MB
postgres 16-alpine 1220ef94dbc4 5 days ago 250MB
» docker image inspect f876940be42f | jq -r '.[].Config.Labels."netbox.git-ref"'
3f345cdbee016243ab5162456ea5415472a2f2df
» docker compose exec netbox /opt/netbox/netbox/manage.py createsuperuser
# created an user test via UI, without group/permissions (not superadmin)
# created token b97beb333cf5f381025440a4037b3284373b3ab3 associated with user test
# created a provider, just to have something to query
Here, I can get data without permissions set to the user:
» curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/graphql/ \
--data '{"query": "query {provider(id:1) {name}}"}'
{"data": {"provider": {"name": "test-p"}}}%
» curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/status/ | jq '.'
{
"django-version": "5.0.6",
"installed-apps": {
"debug_toolbar": "4.3.0",
"django_filters": "24.2",
"django_prometheus": "2.3.1",
"django_rq": "2.10.2",
"django_tables2": "2.7.0",
"drf_spectacular": "0.27.2",
"drf_spectacular_sidecar": "2024.5.1",
"mptt": "0.16.0",
"rest_framework": "3.15.1",
"social_django": "5.4.1",
"taggit": "5.0.1",
"timezone_field": "6.1.0"
},
"netbox-version": "4.0.3",
"plugins": {},
"python-version": "3.11.6",
"rq-workers-running": 1
}
If I try to get user details with the token without permissions, I do see a reject:
» curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/users/\?username\=test
{"detail":"You do not have permission to perform this action."}%
Using a superuser token, just to show the current permissions and tokens:
» curl -s -H "Authorization: Token 6065f2a66b6b6e08c4ea68b07976e998f6b29a67" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/users/\?username\=test | jq '.'
{
"count": 1,
"next": null,
"previous": null,
"results": [
{
"id": 2,
"url": "http://localhost:8000/api/users/users/2/",
"display": "test",
"username": "test",
"first_name": "",
"last_name": "",
"email": "",
"is_staff": false,
"is_active": true,
"date_joined": "2024-05-27T20:25:24.362362Z",
"last_login": null,
"groups": [],
"permissions": []
}
]
}
» curl -s -H "Authorization: Token 6065f2a66b6b6e08c4ea68b07976e998f6b29a67" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/tokens/ | jq -r '.'
{
"count": 2,
"next": null,
"previous": null,
"results": [
{
"id": 1,
"url": "http://localhost:8000/api/users/tokens/1/",
"display": "b97beb333cf5f381025440a4037b3284373b3ab3",
"user": {
"id": 2,
"url": "http://localhost:8000/api/users/users/2/",
"display": "test",
"username": "test"
},
"created": "2024-05-27T20:26:12.198312Z",
"expires": null,
"last_used": "2024-05-27T20:31:55.628047Z",
"key": "b97beb333cf5f381025440a4037b3284373b3ab3",
"write_enabled": true,
"description": "",
"allowed_ips": []
},
{
"id": 2,
"url": "http://localhost:8000/api/users/tokens/2/",
"display": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67",
"user": {
"id": 1,
"url": "http://localhost:8000/api/users/users/1/",
"display": "admin",
"username": "admin"
},
"created": "2024-05-27T20:36:55.815834Z",
"expires": null,
"last_used": "2024-05-27T20:38:40.961444Z",
"key": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67",
"write_enabled": true,
"description": "",
"allowed_ips": []
}
]
}
Thanks, and please let me know if you need something else.
Hi, I noticed that I left write enable during the latest test, follow the result with write_enable as false for the test token in the same environment/deploy:
» curl -s -H "Authorization: Token 6065f2a66b6b6e08c4ea68b07976e998f6b29a67" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/tokens/ | jq -r '.'
{
"count": 2,
"next": null,
"previous": null,
"results": [
{
"id": 1,
"url": "http://localhost:8000/api/users/tokens/1/",
"display": "b97beb333cf5f381025440a4037b3284373b3ab3",
"user": {
"id": 2,
"url": "http://localhost:8000/api/users/users/2/",
"display": "test",
"username": "test"
},
"created": "2024-05-27T20:26:12.198312Z",
"expires": null,
"last_used": "2024-05-27T20:31:55.628047Z",
"key": "b97beb333cf5f381025440a4037b3284373b3ab3",
"write_enabled": false,
"description": "",
"allowed_ips": []
},
{
"id": 2,
"url": "http://localhost:8000/api/users/tokens/2/",
"display": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67",
"user": {
"id": 1,
"url": "http://localhost:8000/api/users/users/1/",
"display": "admin",
"username": "admin"
},
"created": "2024-05-27T20:36:55.815834Z",
"expires": null,
"last_used": "2024-05-28T04:34:33.458954Z",
"key": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67",
"write_enabled": true,
"description": "",
"allowed_ips": []
}
]
}
» curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/graphql/ \
--data '{"query": "query {provider(id:1) {name}}"}'
{"data": {"provider": {"name": "test-p"}}}%
This is a reminder that additional information is needed in order to further triage this issue. If the requested details are not provided, the issue will soon be closed automatically.
@DanSheps do you need more details? Received a message from @github telling if details are not provided issue will be resolved.
Alright,
The fundamental issue is that for a single ASN query, we have:
class IPAMQuery:
@strawberry.field
def asn(self, id: int) -> ASNType:
return models.ASN.objects.get(pk=id)
the models.ASN.objects.get(pk=id)
is just simply not calling restrict. AFAIK, all models are impacted by this.
Deployment Type
Self-hosted
NetBox Version
v4.0.3
Python Version
3.11
Steps to Reproduce
Test user does not have any permissions associated with it (I am using the admin token to make the query):
Test user token:
Now using the test user token without any permissions via Graphql:
In my understanding, if a user/token has no permissions, it should reject by default.
Version:
This may be related with the issue#16228.
Expected Behavior
The system should reject GraphQL queries from users or tokens that do not have the necessary permissions.
Observed Behavior
During testing, it was discovered that if a user or token lacks permissions, the system does not enforce authentication for GraphQL queries. This was observed using a test user with no permissions, where GraphQL queries still returned sensitive data.
GraphQL queries are processed and data is returned even when the user or token has no permissions.
Further investigation is needed to confirm the scope and cause of the authentication bypass. Additional details will be provided upon request.