Skip to content

Commit

Permalink
dont leak info in UpdateSpace (#3449)
Browse files Browse the repository at this point in the history
Signed-off-by: jkoberg <[email protected]>

Signed-off-by: jkoberg <[email protected]>
  • Loading branch information
kobergj authored Nov 11, 2022
1 parent 413c0a3 commit c554766
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 2 deletions.
7 changes: 7 additions & 0 deletions changelog/unreleased/dont-leak-spaces.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Bugfix: Don't leak space information on update drive

There were some problems with the `UpdateDrive` func in decomposedfs when it is called without permission
- When calling with empty request it would leak the complete drive info
- When calling with non-empty request it would leak the drive name

https://github.com/cs3org/reva/pull/3447
22 changes: 21 additions & 1 deletion pkg/storage/utils/decomposedfs/spaces.go
Original file line number Diff line number Diff line change
Expand Up @@ -527,6 +527,13 @@ func (fs *Decomposedfs) UpdateStorageSpace(ctx context.Context, req *provider.Up
return nil, err
}

// check if user has access to the drive before continuing
if err := fs.checkViewerPermission(ctx, node); err != nil {
return &provider.UpdateStorageSpaceResponse{
Status: &v1beta11.Status{Code: v1beta11.Code_CODE_NOT_FOUND, Message: err.Error()},
}, nil
}

metadata := make(map[string]string, 5)
if space.Name != "" {
metadata[xattrs.NameAttr] = space.Name
Expand Down Expand Up @@ -958,7 +965,20 @@ func (fs *Decomposedfs) checkEditorPermission(ctx context.Context, n *node.Node)
msg := fmt.Sprintf("not enough permissions to change attributes on %s", filepath.Join(n.ParentID, n.Name))
return errtypes.PermissionDenied(msg)
}
return errtypes.NotFound(filepath.Join(n.ParentID, n.Name))
return errtypes.NotFound(n.ID)
}
return nil
}

func (fs *Decomposedfs) checkViewerPermission(ctx context.Context, n *node.Node) error {
// to update the space name or short description we need the manager role
// current workaround: check if RemoveGrant Permission exists
rp, err := fs.p.AssemblePermissions(ctx, n)
switch {
case err != nil:
return errtypes.InternalError(err.Error())
case !rp.Stat:
return errtypes.NotFound(n.ID)
}
return nil
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/storage/utils/decomposedfs/spaces_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -373,7 +373,7 @@ var _ = Describe("Spaces", func() {
},
)
Expect(err).ToNot(HaveOccurred())
Expect(updateResp.Status.Code, rpcv1beta1.Code_CODE_PERMISSION_DENIED)
Expect(updateResp.Status.Code).To(Equal(rpcv1beta1.Code_CODE_NOT_FOUND))
})
})
})
Expand Down

0 comments on commit c554766

Please sign in to comment.