Closed Ian-Butler-Novacoast closed 3 years ago
Yeah, slashes aren't supported in ID names, we should probably reject those on POST/PUT.
We used the slash to include a path component at the end similar to what AWS does in their arn syntax. If it's rejected that will probably cause issues with IAM compatibility #59 .
What character ranges are supported?
Everything except a slash! Slashes are very dangerous, when you're using an ID like foo/../../bar
for example, which can trick systems into a path rewrite attack.
Regarding AWS compatibility, we'll cross that bridge when we come to it. It will be a different API anyways and maybe we'll not rely on paths there for retrieval.
Gotcha, I'm an app pentester (Ian too) and totally understand the security concern. But I'd argue here it's a case of requiring the app to conform to an artificial limitation. And that slashes not only are perfectly valid here but also enable a granular and flexible ID scheme. With proper input validation of course.
For instance, how should we best implement an ID scheme in a multi tenant ticketing system where each tenant has their own organizational structure with multiple arbitrary levels?
novacoast:ticketsystem:tenant123:ticket/department456/project789/folderXYZ/*
If we have a clean PR to support slash that touches minimal code and maintains security would you guys consider it?
If we have a clean PR to support slash that touches minimal code and maintains security would you guys consider it?
Of course :) Unfortunately I think this is an issue with httprouter iirc, but maybe I'm wrong.
I am closing this issue as our Google Zanzibar-based refactoring is scheduled to be released soon. Ory Keto up to version 0.5 will go in hibernation mode and receive only critical security patches.
Describe the bug
When I try to GET or DELETE a role with a
/
in the string for the id, a 404 error response is returned. The same issue exists for policy ids.Reproducing the bug
Steps to reproduce the behavior:
docker run ....
/
in the id for example:curl -X PUT \ http://localhost:32034/engines/acp/ory/exact/roles \ -H 'Accept: application/json' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Cache-Control: no-cache' \ -H 'Connection: keep-alive' \ -H 'Content-Length: 53' \ -H 'Content-Type: application/json' \ -H 'Host: localhost:32034' \ -H 'cache-control: no-cache' \ -d '{ "id": "some/group", "members": ["string"] }'
and confirm 200 OK responsecurl -X GET \ http://localhost:32034/engines/acp/ory/exact/roles/some%2Fgroup
curl -X DELETE \ http://localhost:32034/engines/acp/ory/exact/roles/some%2Fgroup
Result: 404 responses for the GET and DELETE responses, however, the role is included when listing all roles
Server logs
Server configuration
Expected behavior
GET and DELETE should handle url encoded identifiers, or an id with a slash should be prevented from being used to create a role.
Environment