Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-989

RealTimeGet with explicit ids can bypass document level authorization

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.5.1
    • Fix Version/s: 1.7.0
    • Component/s: Solr Plugin
    • Labels:
      None

      Description

      RealTimeGet just ignores filter queries currently in Solr (see SOLR-8436) which is how document level security is implemented, so if you can guess the document ids, you can access them.

      Since we probably don't want to wait for a solr version with SOLR-8436 to be released, we should come up with a temporary work around.

        Attachments

        1. SENTRY-989.patch
          68 kB
          Gregory Chanan
        2. SENTRY-989.patch
          68 kB
          Gregory Chanan
        3. SENTRY-989.patch
          65 kB
          Gregory Chanan
        4. SENTRY-989.patch
          29 kB
          Gregory Chanan

          Issue Links

          links to

          Web Link Review Board

            Activity

              People

              • Assignee:
                gchanan Gregory Chanan
                Reporter:
                gchanan Gregory Chanan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: