Page MenuHomePhabricator
Create Task
Maniphest T134699

Quarry: Query edit restriction is enforced in UI, not API
Closed, ResolvedPublic
Actions

Description

You can POST to https://quarry.wmflabs.org/api/query/run giving any value for query_id - it doesn't have to be one of your query IDs.

Details

SubjectRepoBranchLines +/-
Slightly stronger user authentication checkanalytics/quarry/webmaster+3 -0
Customize query in gerrit

Event Timeline

Krenair created this task.May 8 2016, 10:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 8 2016, 10:13 PM
Krenair added a project: Quarry.May 8 2016, 10:13 PM
Krenair added a project: Vuln-MissingAuthz.
Krenair added a subscriber: yuvipanda.
csteipp triaged this task as Low priority.May 10 2016, 9:51 PM
csteipp moved this task from Backlog / Other to External (Non-WMF) Issues on the acl*security board.
Krenair added a comment.May 10 2016, 10:26 PM

This allows you to overwrite other users' SQL queries, and the only way I know of getting them back is going through the database manually.

yuvipanda added a comment.May 11 2016, 6:01 AM

Oops.

diff --git a/quarry/web/app.py b/quarry/web/app.py
index 9a3d85a..d6cc96a 100644
--- a/quarry/web/app.py
+++ b/quarry/web/app.py
@@ -209,6 +209,9 @@ def api_run_query():
     text = request.form['text']
     query = g.conn.session.query(Query).filter(Query.id == request.form['query_id']).one()
 
+    if query.user_id != get_user().id:
+        return "Authorization denied", 401
+
     if query.latest_rev and query.latest_rev.latest_run:
         result = worker.run_query.AsyncResult(query.latest_rev.latest_run.task_id)
         if not result.ready():

How does that look?

Bawolff subscribed.May 11 2016, 9:18 AM

Presumably should be 403 since its not so much the user needs to log in as that they do not have permission

yuvipanda added a comment.Jul 1 2016, 6:59 PM

I've deployed https://gerrit.wikimedia.org/r/#/c/296952/ for this just now...

Krenair added a comment.Jul 1 2016, 7:13 PM

Great, is this done and ready to be closed/made public?

Bawolff closed this task as Resolved.Jul 26 2016, 12:40 AM
Bawolff claimed this task.

per yuvi on irc, this can be public now

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 26 2016, 12:40 AM
Bawolff changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptJul 26 2016, 12:40 AM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:42 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL