Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-4301

Missing protection for system-maintained rep:externalId

    XMLWordPrintableJSON

    Details

      Description

      while working on OAK-4101 i noticed that the current implementation doesn't provide any protection for the system maintained property rep:externalId, which is intended to be an identifier for a given synchronized user/group within an external IDP.

      in other words:

      • the system doesn't assert the uniqueness of a given external-id
      • the external-id properties can be changed using regular JCR API

      up to now i didn't manage to exploit the missing protection with the current default implementation but i found that minor (legitimate) changes have the potential to turn this into a critical vulnerability.

      therefore I would strongly recommend to change the default implementation such that the rep:externalId really becomes system-maintained and prevent any unintentional or malicious modification outside of the scope of the sync-operations. furthermore uniqueness of this property should be asserted.

        Attachments

        1. OAK-4301.patch
          52 kB
          angela

          Issue Links

            Activity

              People

              • Assignee:
                angela angela
                Reporter:
                angela angela
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: