[BUG] ActionGroup has `type` property which can be set as null using REST API

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields

https://opensearch.org/docs/latest/security-plugin/index/

Apache License 2.0

181 stars 264 forks source link

[BUG] ActionGroup has `type` property which can be set as null using REST API #4374

Closed willyborankin closed 3 weeks ago

willyborankin commented 1 month ago

What is the bug? The type property for action groups never been validated. As result it is possible to crate/update an action group without it and this group is never involved into permissions check. Besides it is possible to set any string for the type.

What is the expected behavior? REST API should validate action group type and accept two possible values: cluster and index.

scrawfor99 commented 1 month ago

[Triage] Hi @willyborankin thanks for filing this issue. Nice catch. We should definitely validate the action groups coming in.