Defect #37171
closed
Ability to change the issue category or issue target version with nonexistent value for the specific project
0%
Description
Hi there,
I found a way to change category with nonexistent ID for the specific project.
I will try to explain it in more details (the user making the change has access to the project)
1. User start editing the ticket (click "Edit" button)
2. Right click on Category field and choose "Inspect" (Developer's tool)
3. Then we change the value of the category to one that is not in the project
4. Click "Submit" button and we save the ID of category that not exist for the specific folder.
Is there any way to make to verify that this category is in the project to avoid this kind of changes?
Cheers
Files
Updated by Mischa The Evil over 2 years ago
- Subject changed from Ability to change the category with nonexistent for the specific project to Ability to change the issue category with nonexistent value for the specific project
- Category changed from Issues to Security
- Status changed from New to Confirmed
- Priority changed from Normal to High
- Private changed from No to Yes
Nikola Stojiljkovic Milanov: Thanks for reporting this issue.
I was able to reproduce the reported behavior using the provided steps on an old 4.2-stable (Rails 5.x) playground. I think this affects current trunk (Rails 6.x) too, but I haven't actually tested this.
I currently don't know for sure how pervasive this behavior is in that it might extend to other fields and/or modules, but this should nevertheless be properly investigated and acted upon given the potential security implications of this issue (issue and (custom) field visibility, workflows, assignees, API-request behavior, etc.).
Given all the above I'll:- set the issue to private;
- set the issue priority to High;
- set the issue category to Security; and
- add Go, Holger and Marius as watchers.
@Go, holger mareck, Marius Ionescu: Can you'll have a look into this matter?
Updated by Holger Just over 2 years ago
- File 0001-Validate-category_id-against-available-categories-in.patch 0001-Validate-category_id-against-available-categories-in.patch added
- File 0002-Validate-fixed_version_id-to-ensure-that-a-version-w.patch 0002-Validate-fixed_version_id-to-ensure-that-a-version-w.patch added
- Assignee changed from Holger Just to Marius BĂLTEANU
Attached, there are two patches to improve the validations:
0001-Validate-category_id-against-available-categories-in.patchadded the validation for thecategory_idto ensure that the given category is valid within the issue's project.0002-Validate-fixed_version_id-to-ensure-that-a-version-w.patchimproves the validation of thefixed_version_idto ensure that no invalid version (that is: one that does not exist at all) can be given.
I think all of the other fields are fine since they either reference global data (project, tracker, assigned_to, author, status) and/or are correctly checked already.
Marius or Maeda-san, could either of you check those patches and merge them? They should cleanly apply to the current trunk, 5.0-stable and 4.2-stable. I'm assigning the issue to Marius, please feel free to re-assign as necessary.
Updated by Marius BĂLTEANU over 2 years ago
- Status changed from Confirmed to Resolved
- Target version set to 4.2.7
- Resolution set to Fixed
Thanks, I've committed both patches and I'm going to merge them to the stable branches once the tests pass.
Updated by Marius BĂLTEANU over 2 years ago
- Subject changed from Ability to change the issue category with nonexistent value for the specific project to Ability to change the issue category or issue target version with nonexistent value for the specific project
- Status changed from Resolved to Closed
Merged to stable branches.