netbox-community/netbox-topology-views

Constraints not fully honored - Data Leak

Closed this issue · 5 comments

NetBox version

v3.7.4

Topology Views version

v3.9.0

Steps to Reproduce

I've created numerous permission constraints for a user (25 permissions in all) to lock down what they can/cannot see. As an example, one of the permissions is viewing DCIM.Devices with a constraint of [{"site__group_id": "5"}, {"tenant_id": "8"}] which when applied restricts them to seeing only the devices for their assigned site or tenant status.

Expected Behavior

When the user goes to any given page in NetBox where the constraints are applied, they only see objects which they are authorized to view.... to include under the Topology Views.

Observed Behavior

When the user navigates to a page such as Devices > Devices, they only see the devices which they have been constrained to see as dictated by the assigned permission. This much works exactly as intended. However, when navigating to the Topology Views page, if the user enters a very broad filter such as "Show Logical Connections" without any additional filters checked/selected (e.g. without limiting to a site or tenant)... the expectation is that the user would only have objects rendered that they have access to view. Instead, they are shown EVERY object with a connection regardless of their assigned/constrained access. Making matters worse, when hovering over the objects, a pop-up window appears which exposes even further detailed information to which they should not have access to. On the up-shot... when they double click on an object to which they do not have access to, the details page for that object correctly tells them they do not have permission to view the object. But, they should have never been able to see the object and pop-up details in the first place. This is for all intents a security issue as visibility of devices and their connectivity far beyond what a user is authorized to have exposes data that would for most organizations be considered sensitive.

For what it's worth, I thought that this may have been related to another issue in NetBox core whereby some pages show quantities of objects for everything in the database rather than just the quantities for which a user has constrained privileges for (something that IMHO is also a security issue, all be it with less severity). I raised a bug report in core to address this issue first thinking that it may somehow be related to what is happening in Topology Views. (netbox-community/netbox#16093) However, that bug report was immediately closed by Jeramy stating in short that it was an expected behavior... to fix it should be submitted as a feature request... and that the issue with Topology Views as described in this bug report is unrelated and should be addressed separately with the plugin project.

Hi,

thanks for your bug report. Sounds interesting. How exactly do you set permission constraints? I didn't know that this is possible. Is this a native NetBox feature?

In NetBox, navigate to Admin>Permissions and then select "Add" to create a new permission. On that new window, there will be many options to select what objects the permissions apply to, what level of permission is being given, what users/groups the permissions are applied to... and all the way at the bottom is a box labeled as "Constraints" which by default is "null". The Constraints field can be used to filter results for the object sets specified in the above selected objects lists. So, as an example, in the objects list, if you select "DCIM > Devices", if the constraint is left as "null" the permission (e.g. "view") will be granted for ALL devices in the entire database. If you wish to restrict a user to only a specific set of objects, you can populate that constraints field with a JSON string to limit/filter the returned items from the query, and thus limit the permission. So, with the DCIM>Devices scenario... I've populated one particular client with the JSON string of:

[
{
"site__group_id": "5"
},
{
"tenant_id": "8"
}
]

...which limits the user to only seeing objects (devices in this case) that match the assigned Site Group ID = 5 and assigned Tenant ID of 8... thereby limiting them to only see a narrow select group of devices. With this constraint in place, when the user navigates to "Devices > Devices" in the menu, the only devices that show up in the list are those that match Site Group ID 5 and Tenant ID 8. All other devices are excluded. And, should they know the URL to a device that was not displayed in the list, when they go to that URL, it will display a message stating that they don't have permission to view it.

For reference, the 5 and 8 as shown above can be easily determined by looking in the upper right hand corner of the web page for the given object in question. As an example, if you click on a site, in the upper right hand portion of the screen you should see something like "dcim.site:5 (site name)" displayed just below your account name and above the action buttons.

As it pertains to this bug report, without having looked under the hood to see how everything actually works, it appears as though the devices are being pulled from the database without looking at the users assigned device permissions and associated constraints. From my brief testing with other objects, it appears to be the same issue for circuits, cables, etc... basically all the other object types displayed using Topology Views.

I see this has been flagged by mattieserver as "Completed" and was apparently fixed with the release of version 4.0.0 this past week. However, after upgrading to NetBox 4.0.6 and Topology Views 4.0.0 this evening... the problem regrettably persists. So, unless there is some previous server cache that needs to be purged after the update... it's still broken. In my test, as was originally stated... In all the other sections of NetBox where constraints are set... all is good... they are properly honored, and visibility is appropriately restricted. But, as soon as I go to Topology and select the most basic filter of something like "show cables" or "Show logical connection" and click save... the user can see everything within NetBox as if they were an admin, and not just the objects that the user should be constrained to seeing. So, if I missed something during the upgrade... please do let me know. Otherwise... please keep plugging away at why this behavior is happening.

It is not released yet.
The changes are on the dev branch but not on any tagged version.

Ah... my bad. Knowing that... and since it was just two lines of code... I manually edited those two lines in those two files (bad I know... but, I wanted to see if it would work) ... and after restarting NetBox... all is good with the world! :) Thank you mattieserver! #HappyDance