Ability to change the issue category or issue target version with nonexistent value for the specific project
I found a way to change category with nonexistent ID for the specific project.
I will try to explain it in more details (the user making the change has access to the project)
1. User start editing the ticket (click "Edit" button)
2. Right click on Category field and choose "Inspect" (Developer's tool)
3. Then we change the value of the category to one that is not in the project
4. Click "Submit" button and we save the ID of category that not exist for the specific folder.
Is there any way to make to verify that this category is in the project to avoid this kind of changes?
Updated by Mischa The Evil over 1 year ago
- Subject changed from Ability to change the category with nonexistent for the specific project to Ability to change the issue category with nonexistent value for the specific project
- Category changed from Issues to Security
- Status changed from New to Confirmed
- Priority changed from Normal to High
- Private changed from No to Yes
Nikola Stojiljkovic Milanov: Thanks for reporting this issue.
I was able to reproduce the reported behavior using the provided steps on an old 4.2-stable (Rails 5.x) playground. I think this affects current trunk (Rails 6.x) too, but I haven't actually tested this.
I currently don't know for sure how pervasive this behavior is in that it might extend to other fields and/or modules, but this should nevertheless be properly investigated and acted upon given the potential security implications of this issue (issue and (custom) field visibility, workflows, assignees, API-request behavior, etc.).Given all the above I'll:
- set the issue to private;
- set the issue priority to High;
- set the issue category to Security; and
- add Go, Holger and Marius as watchers.
Updated by Holger Just over 1 year ago
- File 0001-Validate-category_id-against-available-categories-in.patch 0001-Validate-category_id-against-available-categories-in.patch added
- File 0002-Validate-fixed_version_id-to-ensure-that-a-version-w.patch 0002-Validate-fixed_version_id-to-ensure-that-a-version-w.patch added
- Assignee changed from Holger Just to Marius BALTEANU
Attached, there are two patches to improve the validations:
0001-Validate-category_id-against-available-categories-in.patchadded the validation for the
category_idto ensure that the given category is valid within the issue's project.
0002-Validate-fixed_version_id-to-ensure-that-a-version-w.patchimproves the validation of the
fixed_version_idto ensure that no invalid version (that is: one that does not exist at all) can be given.
I think all of the other fields are fine since they either reference global data (
status) and/or are correctly checked already.
Marius or Maeda-san, could either of you check those patches and merge them? They should cleanly apply to the current
4.2-stable. I'm assigning the issue to Marius, please feel free to re-assign as necessary.
Updated by Marius BALTEANU over 1 year ago
- Subject changed from Ability to change the issue category with nonexistent value for the specific project to Ability to change the issue category or issue target version with nonexistent value for the specific project
- Status changed from Resolved to Closed
Merged to stable branches.