🔒 Fixed filtering on private Author fields in Content API

refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9

Because our filtering layer is so coupled to the DB and we don't generally
apply restrictions, it was possible to fetch authors and filter by their
password or email field. Coupled with the "starts with" operator this can be
used to brute force the first character of these fields by trying random
combinations until an author is included in the filter. After which the next
character can be brute forced, and so on until the data has been leaked
completely.
This commit is contained in:
Fabien "egg" O'Carroll 2023-05-02 07:59:17 -04:00 committed by Fabien 'egg' O'Carroll
parent 514c8917c0
commit b3caf16005
7 changed files with 304 additions and 6 deletions

View File

@ -1,6 +1,7 @@
const Promise = require('bluebird');
const tpl = require('@tryghost/tpl');
const errors = require('@tryghost/errors');
const {mapQuery} = require('@tryghost/mongo-utils');
const models = require('../../models');
const ALLOWED_INCLUDES = ['count.posts'];
@ -8,6 +9,17 @@ const messages = {
notFound: 'Author not found.'
};
const rejectPrivateFieldsTransformer = input => mapQuery(input, function (value, key) {
const lowerCaseKey = key.toLowerCase();
if (lowerCaseKey.startsWith('password') || lowerCaseKey.startsWith('email')) {
return;
}
return {
[key]: value
};
});
module.exports = {
docName: 'authors',
@ -29,7 +41,11 @@ module.exports = {
},
permissions: true,
query(frame) {
return models.Author.findPage(frame.options);
const options = {
...frame.options,
mongoTransformer: rejectPrivateFieldsTransformer
};
return models.Author.findPage(options);
}
},
@ -54,7 +70,11 @@ module.exports = {
},
permissions: true,
query(frame) {
return models.Author.findOne(frame.data, frame.options)
const options = {
...frame.options,
mongoTransformer: rejectPrivateFieldsTransformer
};
return models.Author.findOne(frame.data, options)
.then((model) => {
if (!model) {
return Promise.reject(new errors.NotFoundError({

View File

@ -1,5 +1,6 @@
const tpl = require('@tryghost/tpl');
const errors = require('@tryghost/errors');
const {mapQuery} = require('@tryghost/mongo-utils');
const models = require('../../models');
const ALLOWED_INCLUDES = ['tags', 'authors', 'tiers'];
@ -8,6 +9,17 @@ const messages = {
pageNotFound: 'Page not found.'
};
const rejectPrivateFieldsTransformer = input => mapQuery(input, function (value, key) {
let lowerCaseKey = key.toLowerCase();
if (lowerCaseKey.startsWith('authors.password') || lowerCaseKey.startsWith('authors.email')) {
return;
}
return {
[key]: value
};
});
module.exports = {
docName: 'pages',
@ -35,7 +47,11 @@ module.exports = {
},
permissions: true,
query(frame) {
return models.Post.findPage(frame.options);
const options = {
...frame.options,
mongoTransformer: rejectPrivateFieldsTransformer
};
return models.Post.findPage(options);
}
},
@ -64,7 +80,11 @@ module.exports = {
},
permissions: true,
query(frame) {
return models.Post.findOne(frame.data, frame.options)
const options = {
...frame.options,
mongoTransformer: rejectPrivateFieldsTransformer
};
return models.Post.findOne(frame.data, options)
.then((model) => {
if (!model) {
throw new errors.NotFoundError({

View File

@ -1,6 +1,7 @@
const models = require('../../models');
const tpl = require('@tryghost/tpl');
const errors = require('@tryghost/errors');
const {mapQuery} = require('@tryghost/mongo-utils');
const postsPublicService = require('../../services/posts-public');
const allowedIncludes = ['tags', 'authors', 'tiers', 'sentiment'];
@ -9,6 +10,17 @@ const messages = {
postNotFound: 'Post not found.'
};
const rejectPrivateFieldsTransformer = input => mapQuery(input, function (value, key) {
const lowerCaseKey = key.toLowerCase();
if (lowerCaseKey.startsWith('authors.password') || lowerCaseKey.startsWith('authors.email')) {
return;
}
return {
[key]: value
};
});
module.exports = {
docName: 'posts',
@ -37,7 +49,11 @@ module.exports = {
},
permissions: true,
query(frame) {
return models.Post.findPage(frame.options);
const options = {
...frame.options,
mongoTransformer: rejectPrivateFieldsTransformer
};
return models.Post.findPage(options);
}
},
@ -66,7 +82,11 @@ module.exports = {
},
permissions: true,
query(frame) {
return models.Post.findOne(frame.data, frame.options)
const options = {
...frame.options,
mongoTransformer: rejectPrivateFieldsTransformer
};
return models.Post.findOne(frame.data, options)
.then((model) => {
if (!model) {
throw new errors.NotFoundError({

View File

@ -19,6 +19,85 @@ describe('Authors Content API', function () {
await configUtils.restore();
});
it('can not filter authors by password', async function () {
const hashedPassword = '$2a$10$FxFlCsNBgXw42cBj0l1GFu39jffibqTqyAGBz7uCLwetYAdBYJEe6';
const userId = '644fd18ca1f0b764b0279b2d';
await testUtils.knex('users').insert({
id: userId,
slug: 'brute-force-password-test-user',
name: 'Brute Force Password Test User',
email: 'bruteforcepasswordtestuser@example.com',
password: hashedPassword,
status: 'active',
created_at: '2019-01-01 00:00:00',
created_by: '1'
});
const {id: postId} = await testUtils.knex('posts').first('id').where('slug', 'welcome');
await testUtils.knex('posts_authors').insert({
id: '644fd18ca1f0b764b0279b2f',
post_id: postId,
author_id: userId
});
const res = await request.get(localUtils.API.getApiQuery(`authors/?key=${validKey}&filter=password:'${hashedPassword}'`))
.set('Origin', testUtils.API.getURL())
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.public)
.expect(200);
const data = JSON.parse(res.text);
await testUtils.knex('posts_authors').where('id', '644fd18ca1f0b764b0279b2f').del();
await testUtils.knex('users').where('id', userId).del();
if (data.authors.length === 1) {
throw new Error('fuck');
}
});
it('can not filter authors by email', async function () {
const hashedPassword = '$2a$10$FxFlCsNBgXw42cBj0l1GFu39jffibqTqyAGBz7uCLwetYAdBYJEe6';
const userEmail = 'bruteforcepasswordtestuser@example.com';
const userId = '644fd18ca1f0b764b0279b2d';
await testUtils.knex('users').insert({
id: userId,
slug: 'brute-force-password-test-user',
name: 'Brute Force Password Test User',
email: userEmail,
password: hashedPassword,
status: 'active',
created_at: '2019-01-01 00:00:00',
created_by: '1'
});
const {id: postId} = await testUtils.knex('posts').first('id').where('slug', 'welcome');
await testUtils.knex('posts_authors').insert({
id: '644fd18ca1f0b764b0279b2f',
post_id: postId,
author_id: userId
});
const res = await request.get(localUtils.API.getApiQuery(`authors/?key=${validKey}&filter=email:'${userEmail}'`))
.set('Origin', testUtils.API.getURL())
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.public)
.expect(200);
const data = JSON.parse(res.text);
await testUtils.knex('posts_authors').where('id', '644fd18ca1f0b764b0279b2f').del();
await testUtils.knex('users').where('id', userId).del();
if (data.authors.length === 1) {
throw new Error('fuck');
}
});
it('can read authors with fields', function () {
return request.get(localUtils.API.getApiQuery(`authors/1/?key=${validKey}&fields=name`))
.set('Origin', testUtils.API.getURL())

View File

@ -20,6 +20,85 @@ describe('api/endpoints/content/pages', function () {
await configUtils.restore();
});
it('can not filter pages by author.password or authors.password', async function () {
const hashedPassword = '$2a$10$FxFlCsNBgXw42cBj0l1GFu39jffibqTqyAGBz7uCLwetYAdBYJEe6';
const userId = '644fd18ca1f0b764b0279b2d';
await testUtils.knex('users').insert({
id: userId,
slug: 'brute-force-password-test-user',
name: 'Brute Force Password Test User',
email: 'bruteforcepasswordtestuseremail@example.com',
password: hashedPassword,
status: 'active',
created_at: '2019-01-01 00:00:00',
created_by: '1'
});
const {id: postId} = await testUtils.knex('posts').first('id').where('type', 'page');
await testUtils.knex('posts_authors').insert({
id: '644fd18ca1f0b764b0279b2f',
post_id: postId,
author_id: userId
});
const res = await request.get(localUtils.API.getApiQuery(`pages/?key=${key}&filter=authors.password:'${hashedPassword}'`))
.set('Origin', testUtils.API.getURL())
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.public)
.expect(200);
const data = JSON.parse(res.text);
await testUtils.knex('posts_authors').where('id', '644fd18ca1f0b764b0279b2f').del();
await testUtils.knex('users').where('id', userId).del();
if (data.pages.length === 1) {
throw new Error('fuck');
}
});
it('can not filter pages by author.email or authors.email', async function () {
const hashedPassword = '$2a$10$FxFlCsNBgXw42cBj0l1GFu39jffibqTqyAGBz7uCLwetYAdBYJEe6';
const userEmail = 'bruteforcepasswordtestuseremail@example.com';
const userId = '644fd18ca1f0b764b0279b2d';
await testUtils.knex('users').insert({
id: userId,
slug: 'brute-force-password-test-user',
name: 'Brute Force Password Test User',
email: userEmail,
password: hashedPassword,
status: 'active',
created_at: '2019-01-01 00:00:00',
created_by: '1'
});
const {id: postId} = await testUtils.knex('posts').first('id').where('type', 'page');
await testUtils.knex('posts_authors').insert({
id: '644fd18ca1f0b764b0279b2f',
post_id: postId,
author_id: userId
});
const res = await request.get(localUtils.API.getApiQuery(`pages/?key=${key}&filter=authors.email:'${userEmail}'`))
.set('Origin', testUtils.API.getURL())
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.public)
.expect(200);
const data = JSON.parse(res.text);
await testUtils.knex('posts_authors').where('id', '644fd18ca1f0b764b0279b2f').del();
await testUtils.knex('users').where('id', userId).del();
if (data.pages.length === 1) {
throw new Error('fuck');
}
});
it('Returns a validation error when unsupported "page" filter is used', function () {
return request.get(localUtils.API.getApiQuery(`pages/?key=${key}&filter=page:false`))
.set('Origin', testUtils.API.getURL())

View File

@ -23,6 +23,85 @@ describe('api/endpoints/content/posts', function () {
const validKey = localUtils.getValidKey();
it('can not filter posts by author.password or authors.password', async function () {
const hashedPassword = '$2a$10$FxFlCsNBgXw42cBj0l1GFu39jffibqTqyAGBz7uCLwetYAdBYJEe6';
const userId = '644fd18ca1f0b764b0279b2d';
await testUtils.knex('users').insert({
id: userId,
slug: 'brute-force-password-test-user',
name: 'Brute Force Password Test User',
email: 'bruteforcepasswordtestuseremail@example.com',
password: hashedPassword,
status: 'active',
created_at: '2019-01-01 00:00:00',
created_by: '1'
});
const {id: postId} = await testUtils.knex('posts').first('id').where('slug', 'welcome');
await testUtils.knex('posts_authors').insert({
id: '644fd18ca1f0b764b0279b2f',
post_id: postId,
author_id: userId
});
const res = await request.get(localUtils.API.getApiQuery(`posts/?key=${validKey}&filter=authors.password:'${hashedPassword}'`))
.set('Origin', testUtils.API.getURL())
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.public)
.expect(200);
const data = JSON.parse(res.text);
await testUtils.knex('posts_authors').where('id', '644fd18ca1f0b764b0279b2f').del();
await testUtils.knex('users').where('id', userId).del();
if (data.posts.length === 1) {
throw new Error('fuck');
}
});
it('can not filter posts by author.email or authors.email', async function () {
const hashedPassword = '$2a$10$FxFlCsNBgXw42cBj0l1GFu39jffibqTqyAGBz7uCLwetYAdBYJEe6';
const userEmail = 'bruteforcepasswordtestuseremail@example.com';
const userId = '644fd18ca1f0b764b0279b2d';
await testUtils.knex('users').insert({
id: userId,
slug: 'brute-force-password-test-user',
name: 'Brute Force Password Test User',
email: userEmail,
password: hashedPassword,
status: 'active',
created_at: '2019-01-01 00:00:00',
created_by: '1'
});
const {id: postId} = await testUtils.knex('posts').first('id').where('slug', 'welcome');
await testUtils.knex('posts_authors').insert({
id: '644fd18ca1f0b764b0279b2f',
post_id: postId,
author_id: userId
});
const res = await request.get(localUtils.API.getApiQuery(`posts/?key=${validKey}&filter=authors.email:'${userEmail}'`))
.set('Origin', testUtils.API.getURL())
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.public)
.expect(200);
const data = JSON.parse(res.text);
await testUtils.knex('posts_authors').where('id', '644fd18ca1f0b764b0279b2f').del();
await testUtils.knex('users').where('id', userId).del();
if (data.posts.length === 1) {
throw new Error('fuck');
}
});
it('browse posts', function (done) {
request.get(localUtils.API.getApiQuery(`posts/?key=${validKey}`))
.set('Origin', testUtils.API.getURL())

View File

@ -99,6 +99,7 @@ module.exports = {
teardownDb: dbUtils.teardown,
truncate: dbUtils.truncate,
knex: dbUtils.knex,
setup: setup,
createUser: createUser,
createPost: createPost,