search

nodeSolidServer / node-solid-server

Solid server on top of the file-system in NodeJS
https://solidproject.org/for-developers/pod-server
Other
1.78k stars 303 forks source link

External WebId security issue #1597

Open bourgeoa opened 3 years ago

bourgeoa commented 3 years ago

Tim Berners-Lee @timbl mai 14 16:11 Intersting: Trying to register a new account with an external webid I get an nmessage saying linked acounts are not supported?

Alain Bourgeois @bourgeoa mai 14 16:18 @timbl it has been removed by @michielbdejong and I don't now why solid/node-solid-server#1566

Tim Berners-Lee @timbl mai 14 16:40 I assume it was a security thing? I wonder how many accountes there are with linked owners

Tim Berners-Lee @timbl mai 14 16:46 Anyone else know?

Michiel de Jong @michielbdejong 09:27 Yes, it was a security thing. We can only re-activate it if we fix the way aliases work, first. With the current code, it was possible to steal any existing username on the same server and make it a local alias of the newly created account. So you would need to add a check to make sure the external webid is not local!

@michielbdejong Is aliases owl:sameAs ? Is the security issue related to CORS ?

michielbdejong commented 3 years ago

It's user.link, unrelated to owl and to cors. https://github.com/solid/node-solid-server/blob/main/lib/models/authenticator.js#L147

bourgeoa commented 2 years ago

Reminder solid:oidcIssuer not implemented for external webId https://github.com/solid/node-solid-server/issues/1510#issuecomment-1058244694