Atomic Operations permitting actions that where cut off from Controller
alnotas opened this issue · 3 comments
Greetings again
We have made use of the Atomic Operations feature of JsonApiDotNet but we stumbled upon a vulnerability of sorts.
Let's say we have a Resource called ProductPricelistItem and we have a custom implementation of its controller, stating first that we don't desire the automatic generation of the controllers endpoints
Then, we create our custom controller for this resource but we decide for example that we don't want to allow the creation of new items from this controller. So we omit the injection of the CreateService from the controller
The result is as expected, when trying posting a new record
But it seems that when using the Atomic Operations (AO) feature, the custom controller is bypassed and AO are headed directly to the ProductPricelistItemService.
This results to being able to create new ProductPriceListItems although we are not allowing it through their dedicated Controller and that is bad news.
How can we achieve for the AOs to be considering the Resource's controller Setup?
Is there a quick and safe way for the service to "sniff" the Controllers setup and prevent the POST from executing?
Thank you
VERSIONS USED
JsonApiDotNetCore version: 5.5.1
ASP.NET Core version: 8.0.6
Entity Framework Core version: 8.0.4
Database provider: SQL Server 14.0.2052.1
First of all, if you believe to have found a vulnerability, it's best to report it privately via "Report a vulnerability" instead of creating a publicly visible regular issue.
In this case, the behavior is expected and documented. See the docs at https://www.jsonapi.net/usage/writing/bulk-batch-operations.html.
Thank you for your answer
'Vulnerability' may be misleading as it is not apparently a 'security' gap in the library but a scenario that in case we had missed on testing it would probably create a vulnerability in our project.
That's why I'm mainly asking for ideas for workaround and not for a 'fix' in the library.
As @bkoelman mentioned above in this link https://www.jsonapi.net/usage/writing/bulk-batch-operations.html, there was a significant change in 5.6.0 (we were at 5.51) to AtomicOperations, so I had to update and register an IAtomicOperationFilter where by using reflection, every time the new bool IsEnabled(ResourceType resourceType, WriteOperationKind writeOperation) method is triggered, using the resourceType we retrieve the resources controller and we also retrieve the injected services, if any (ICreateService, IUpdateService, IDeleteService) and according to which one is used, and in accordance with the writeOperationKind the method returns true or false, permitting or forbidding the completion of the specific Atomic Operation.
Thank you.