Critical vulnerability with put API
loctv opened this issue · comments
Loc Truong commented
Addon restful has an crritical issue:
@validate_token
@http.route(_routes, type="http", auth="none", methods=["PUT"], csrf=False)
def put(self, model=None, id=None, **payload):
"""."""
payload = payload.get('payload', {})
try:
_id = int(id)
except Exception as e:
return invalid_response("invalid object id", "invalid literal %s for id with base " % id)
_model = request.env[self._model].sudo().search([("model", "=", model)], limit=1)
if not _model:
return invalid_response(
"invalid object model", "The model %s is not available in the registry." % model, 404,
)
try:
record = request.env[_model.model].sudo().browse(_id)
record.write(payload)
except Exception as e:
request.env.cr.rollback()
return invalid_response("exception", e.name)
else:
return valid_response(record.read())
Attacker can make a privilege escalation attack by put anything with sudo() to update res.users, res.groups
Babatope Ajepe commented
Do you have a proof of the assertion made above? If you can proof a possible attack, pull request will be appreciated from you instead of misleading the community about false claim.
Pending that time I am closing this issue.
Thanks