elastic/connectors-ruby

SharePoint security methodology is wrong - any plans to fix?

Closed this issue · 12 comments

Just reviewing the SharePoint online connector security model and there are a number of issues, particularly around documents restricted to groups.

Are there any plans to redo the connector security component?

Has the Office365 connector been removed from this repo? I can find it in 8.3 but not main

the connector that is in the 83 branch is for Workplace Search the standalone product and is restricted to the 8.3 branch. The new Office 365 connector that is broadly applicable for unified search architectures and Elastic will be found in https://github.com/elastic/connectors-python

Are there any plans to redo the connector security component?

Yes. We'd love your feedback on the new proposals.

@serenachou is this the right file for Sharepoint Online? It doesn't seem to do security at all, is that out of scope for new system? https://github.com/elastic/connectors-python/blob/main/connectors/sources/sharepoint.py

Is Elasticsearch Workplace Search connectors still being worked on? At the moment the document security doesn't really work is the problem...

Is Elasticsearch Workplace Search connectors still being worked on?

The code you're looking at for the connector package is not being actively worked on - as they're in a stable state for the Workplace Search product experience. However, where we are actively iterating is to elevate a SharePoint Online open code connector to be available for Elasticsearch & Enterprise Search use cases as part of the connector framework that you've linked to in the python connectors.

It doesn't seem to do security at all, is that out of scope for new system? https://github.com/elastic/connectors-python/blob/main/connectors/sources/sharepoint.py

Adding additional document level security is on our roadmap for this connector but isn't in that version yet. we'd love and welcome your feedback for that!

so tell us exactly what you mean by "document security doesn't really work"?

☝️ echoing that request, I'd also like to understand what you mean when you say, "there are a number of issues, particularly around documents restricted to groups." @catmanjan . Concrete examples with expected behavior vs actual behavior would be helpful. None of the engineers on this projects should be considered "Sharepoint experts", so please don't feel bad over-sharing context - it may be helpful.

@seanstory @serenachou we've tested the connector at a client site and found many MANY cases where users are shown documents they shouldn't - we've narrowed down those scenarios to particular flaws in the implementation (thanks to it being open source)

I would go into more detail but there is a financially blurred line...

I just wanted to check if you were aware there are issues with the security side of things, and it sounds like you kind of are because you are now reimplementing the whole connector?

I just wanted to check if you were aware there are issues with the security side of things, and it sounds like you kind of are because you are now reimplementing the whole connector?

I think this is a misunderstanding. We're building a new connector framework for a variety of reasons. This new connector framework doesn't currently support DLS, but we're working to add that support. As we do, we're taking lessons learned from our previous implementation, and attempting to make improvements. However, we aren't currently looking at dramatic changes to our understanding of the Sharepoint security model - we're looking at just implementing our previous understanding closer to the Elastic stack, and with less burden on the operator. The single exception is that we're hoping to provide support for Site Pages and their dynamic contents based on permissions. But as site pages weren't even included in the old connectors, I don't think that's what you're talking about.

I would go into more detail but there is a financially blurred line...

I don't understand what's blurry. If you have found bugs in our security implementation and would like them fixed, you'll need to help us understand what issues you've encountered. If they are too sensitive to post here, please utilize our security policy.

we've narrowed down those scenarios to particular flaws in the implementation (thanks to it being open source)

Just to be explicit, which open source implementation are you referencing? There are several out there under the Elastic umbrella, and I want to be sure we're talking about the same code.

I don't understand what's blurry.

The blurry part is financial, AKA why work for free

Just to be explicit, which open source implementation are you referencing? There are several out there under the Elastic umbrella, and I want to be sure we're talking about the same code.

The one in this repo and the python one have the problem

The blurry part is financial, AKA why work for free

As per our security policy, we have a bug bounty program, if you mean that you don't want to report a security issue without being paid for it.

@seanstory interesting thanks for the link, unfortunately the numbers are way too low to be worthwhile in my country