Content translation module - Information disclosure by insufficient access checking [#2558905]

Problem/Motivation

reported by: https://www.drupal.org/u/willzyx

STR:

Users with 'Create|Delete|Edit translations' permission can access the translation overview page of an entity (and see some entity info) even if they can't access to the entity itself.
This because content translation access checking, never takes into account if user can access the entity, when grants access to the entity translation overview page.

On a clean installation - standard profile:
1) Enable content_translation and language modules
2) Add a language in admin/config/regional/language
3) Enable translation for Article content type in admin/config/regional/content-language
4) Grant 'Create translations' permission to 'authenticated user' role
5) Revoke 'View published content' permission to 'authenticated user' role
6) Create an Article node (node/1)
7) Login as a user with only 'authenticated user' role
8) Go to node/1/translations. You can see the translation overview and some entity info

This bug does not affect Drupal 7 because the access callback for the translation overview page explicitly calls node_access() for determine if the user can access (see _translation_tab_access())

Proposed resolution

Add an additional check that the user can access the node before allowing them to access the translation form.

Remaining tasks

User interface changes

n/a

API changes

none

Data model changes

None

original report was part of the Drupal 8 bug bounty
https://tracker.bugcrowd.com/drupal/submissions/465314

reported by: https://www.drupal.org/u/willzyx

Beta phase evaluation

Reference: https://www.drupal.org/core/beta-changes
Issue category	Bug, since it's a security hole
Issue priority	Critical or maybe downgrade to major since while we would probably issue a SA for this after release, it requires a very unusual configuration.
Prioritized changes	The main goal of this issue is security
Disruption	Not disruptive.

Comment	File	Size	Author
#35	interdiff.txt	709 bytes	dawehner
#35	2558905-35.patch	16.56 KB	dawehner
#33	interdiff.txt	1.53 KB	dawehner
#33	2558905-33.patch	16.56 KB	dawehner
#32	increment.txt	1.18 KB	pwolanin
#32	2558905-32.patch	15.5 KB	pwolanin
#29	interdiff.txt	2.03 KB	dawehner
#29	2558905-29.patch	14.32 KB	dawehner
#23	interdiff.txt	4.23 KB	dawehner
#23	2558905-23.patch	14.33 KB	dawehner
#22	interdiff.txt	4.64 KB	dawehner
#22	2558905-22.patch	16.52 KB	dawehner
#20	interdiff.txt	1.92 KB	dawehner
#20	2558905-20.patch	13.32 KB	dawehner
#18	interdiff.txt	6.02 KB	dawehner
#18	2558905-18.patch	12.47 KB	dawehner
#15	interdiff.txt	4.79 KB	dawehner
#15	2558905-15.patch	7.02 KB	dawehner
#5	content_translation-2558905-5.patch	2.23 KB	cilefen
#2	2558905-2.patch	960 bytes	pwolanin

Comments

Comment #1

28 August 2015 at 00:06

pwolanin created an issue. See original summary.

Comment #2

pwolanin commented 28 August 2015 at 00:28

Issue summary:	View changes
Status:	Active	» Needs review

Status	File	Size
new	2558905-2.patch	960 bytes

First patch, though I'm not 100% sure the permission construction is generically correct.

Comment #3

pwolanin commented 28 August 2015 at 00:29

Issue tags:

+Needs tests

Should add tests to check the 2 modified routes following the STR

Comment #4

28 August 2015 at 01:07

Status:

Needs review

» Needs work

The last submitted patch, 2: 2558905-2.patch, failed testing.

Comment #5

cilefen commented 28 August 2015 at 01:29

Status	File	Size
new	content_translation-2558905-5.patch	2.23 KB

A basic test of the base route.

Comment #6

pwolanin commented 28 August 2015 at 02:38

Not seeing an obvious way to add a generic "view" check for any entity type. This might be failing since the test entity just has access TRUE.

Comment #7

legolasbo

he/him

Dutch

Middelburg

commented 28 August 2015 at 07:46

Status:

Needs work

» Needs review

Waking up testbot for #5

Comment #8

28 August 2015 at 08:14

Status:

Needs review

» Needs work

The last submitted patch, 5: content_translation-2558905-5.patch, failed testing.

Comment #9

plach

he/him

Italian

Venezia

commented 28 August 2015 at 23:14

What about adding that only to node? It's only node that exposes the "problematic" permission atm...

Comment #10

wim leers

Ghent 🇧🇪🇪🇺

commented 28 August 2015 at 09:25

What about adding that only to node? It's only node that exposes the "problematic" permission atm...

Doesn't it make sense to always have content translation require that you can view the entity before you can translate it? view AND translate as the requirements to access translations makes a ton of sense to me, and is exactly what this patch does.

So, can you clarify why you think this should only be done for nodes?

Comment #11

plach

he/him

Italian

Venezia

commented 28 August 2015 at 23:14

Well, it was a response to:

Not seeing an obvious way to add a generic "view" check for any entity type.

but obviously having it working for any entity type would be more desirable. I'll have a look to those failures later...

Comment #12

cilefen commented 28 August 2015 at 16:52

To cause this you need a silly misconfiguration of permissions. It's almost "works as designed". I don't think this is critical.

Comment #13

willzyx commented 28 August 2015 at 19:19

Issue summary:

View changes

To cause this you need a silly misconfiguration of permissions. It's almost "works as designed". I don't think this is critical.

not at all. Sure, The steps to reproduce the issue produce an "extreme" permissions configuration case, but it is just to show the bug.
Users with 'Create|Delete|Edit translations' permission can access the translation overview page even if they can't access to the entity itself; and this include unpublished entity or entity that some content access module protects. And these cases are not related to a permission misconfiguration.

Another example that shows the bug: on a clean installation - standard profile:
1) Enable content_translation and language modules
2) Add a language in admin/config/regional/language
3) Enable translation for Article content type in admin/config/regional/content-language
4) Grant 'Create translations' permission to 'authenticated user' role
6) Create an Article node (node/1) and unpublish it
7) Login as a user with only 'authenticated user' role
8) Go to node/1/translations. You can see the translation overview and some entity info

Comment #14

plach

he/him

Italian

Venezia

commented 28 August 2015 at 23:14

@willzyx:

Thanks for the detailed description, those steps might be useful to provide additional test coverage, or at least improve the current one :)

Comment #15

dawehner

German

commented 29 August 2015 at 07:49

Status:

Needs work

» Needs review

Status	File	Size
new	2558905-15.patch	7.02 KB
new	interdiff.txt	4.79 KB

Another example that shows the bug: on a clean installation - standard profile:
1) Enable content_translation and language modules
2) Add a language in admin/config/regional/language
3) Enable translation for Article content type in admin/config/regional/content-language
4) Grant 'Create translations' permission to 'authenticated user' role
6) Create an Article node (node/1) and unpublish it
7) Login as a user with only 'authenticated user' role
8) Go to node/1/translations. You can see the translation overview and some entity info

This is basically what the patch in #2558905-5: Content translation module - Information disclosure by insufficient access checking adds as test coverage.

Not seeing an obvious way to add a generic "view" check for any entity type. This might be failing since the test entity just has access TRUE.

I don't get that statement. Its just a bug in entity_test.routing.yml that we don't add the required access checking.
This is one of the reasons why #2350509: Implement auto-route generation for all core entities and convert all of the core entities. is kinda important. It allows us to standardize more.

Other test failures can be fixed by providing the needed permissions.

Comment #16

29 August 2015 at 08:18

Status:

Needs review

» Needs work

The last submitted patch, 15: 2558905-15.patch, failed testing.

Comment #17

willzyx commented 29 August 2015 at 08:29

@dawehner in the test I see:

+++ b/core/modules/content_translation/src/Tests/ContentTranslationOperationsTest.php
@@ -75,6 +76,20 @@ function testOperationTranslateLink() {
+
+    // Ensure that an unintended misconfiguration of permissions does not open
+    // access to the translation form. @see https://www.drupal.org/node/2558905

the comment is wrong and probably the test should be updated. We are not talking of misconfiguration of permissions, the steps to reproduce in 13 (if you read it carefully :)) show that the bug is reproducible without a "particular" permissions configuration

Comment #18

dawehner

German

commented 29 August 2015 at 12:44

Status:	Needs work	» Needs review
Issue tags:	-Needs tests

Status	File	Size
new	2558905-18.patch	12.47 KB
new	interdiff.txt	6.02 KB

the comment is wrong and probably the test should be updated. We are not talking of misconfiguration of permissions, the steps to reproduce in 13 (if you read it carefully :)) show that the bug is reproducible without a "particular" permissions configuration

Oh I see what you mean ...

Let's expand the test coverage for that.

Comment #19

29 August 2015 at 13:37

Status:

Needs review

» Needs work

The last submitted patch, 18: 2558905-18.patch, failed testing.

Comment #20

dawehner

German

commented 29 August 2015 at 15:38

Status:

Needs work

» Needs review

Status	File	Size
new	2558905-20.patch	13.32 KB
new	interdiff.txt	1.92 KB

We could do the following:

Comment #21

29 August 2015 at 17:25

Status:

Needs review

» Needs work

The last submitted patch, 20: 2558905-20.patch, failed testing.

Comment #22

dawehner

German

commented 29 August 2015 at 20:10

Status:

Needs work

» Needs review

Status	File	Size
new	2558905-22.patch	16.52 KB
new	interdiff.txt	4.64 KB

Seriously testbot ...

Comment #23

dawehner

German

commented 29 August 2015 at 20:23

Status	File	Size
new	2558905-23.patch	14.33 KB
new	interdiff.txt	4.23 KB

But seriously dawehner :)

Comment #24

29 August 2015 at 20:37

The last submitted patch, 22: 2558905-22.patch, failed testing.

Comment #25

pwolanin commented 29 August 2015 at 23:21

Looks good, except I 'm not sure about requiring admin permission here:

+        // There is no direct viewing of a menu link, but still for purposes of
+        // content_translation we need a generic way to check access.
+        return AccessResult::allowedIfHasPermission($account, 'administer menu')

Maybe we should re-use the code from update - that seems to be checking view access by checking the the route is accessible?

Comment #26

dawehner

German

commented 29 August 2015 at 23:33

Maybe we should re-use the code from update - that seems to be checking view access by checking the the route is accessible?

Well, this is about route access, so we can't really forward to the route access.

Comment #27

pwolanin commented 30 August 2015 at 02:56

Given that the other check requires 'administer menu' access, that seems reasonable.

These should use Url::fromRoute() in a couple spots in the test:

+    $this->drupalGet('node/' . $node->id() . '/translations');

Comment #28

larowlan

🇦🇺🏝.au GMT+10

commented 30 August 2015 at 07:14

Status:

Needs review

» Reviewed & tested by the community

This looks ready to me, couple of minor issues that could be resolved on commit.
With regards to use of paths in tests, I think that we're ok

+++ b/core/modules/content_translation/src/Tests/ContentTestTranslationUITest.php
@@ -35,11 +35,13 @@ protected function setUp() {
+
+

exteme nit™: not needed (can be removed on commit)

+++ b/core/modules/content_translation/src/Tests/ContentTranslationOperationsTest.php
@@ -75,6 +76,33 @@ function testOperationTranslateLink() {
+    // access to the translation form. @see https://www.drupal.org/node/2558905

Do we normally reference issues in tests? Only for security?

Comment #29

dawehner

German

commented 30 August 2015 at 07:37

Status	File	Size
new	2558905-29.patch	14.32 KB
new	interdiff.txt	2.03 KB

Do we normally reference issues in tests? Only for security?

Well, I think we should, it gives more information ...

Addressed 27 as well.

Comment #30

willzyx commented 30 August 2015 at 09:15

not sure if is in the scope of this issue but I think we should also take in account content_translation_translate_access() and consider to add an entity access check. It seems to suffer of the same bug, since no explicit entity access check is done in this function

Comment #31

pwolanin commented 30 August 2015 at 14:36

Seems like itt's part of the same bug. though looking at uses it may just be exposing links. Still, I think it's reasonable to add a view check.

Comment #32

pwolanin commented 30 August 2015 at 14:47

Status:

Reviewed & tested by the community

» Needs review

Status	File	Size
new	2558905-32.patch	15.5 KB
new	increment.txt	1.18 KB

Like so? Needs a test maybe?

Comment #33

dawehner

German

commented 30 August 2015 at 17:12

Status:

Needs review

» Reviewed & tested by the community

Status	File	Size
new	2558905-33.patch	16.56 KB
new	interdiff.txt	1.53 KB

Sure, why not

Comment #34

plach

he/him

Italian

Venezia

commented 31 August 2015 at 00:14

Looks good to me, thanks! RTBC +1

If we happen to reroll this:

+++ b/core/modules/content_translation/src/Tests/ContentTranslationOperationsTest.php
@@ -75,6 +76,63 @@ function testOperationTranslateLink() {
+   * @see acontent_translation_translate_access()

typo

Comment #35

dawehner

German

commented 31 August 2015 at 05:32

Status	File	Size
new	2558905-35.patch	16.56 KB
new	interdiff.txt	709 bytes

Thank you plach

Yeah let's quick fix that.

Comment #36

alexpott

he/they

English

🇪🇺🌍

commented 31 August 2015 at 07:10

Status:

Reviewed & tested by the community

» Fixed

Nice tests and nice find @willzyx. Committed 112e9bf and pushed to 8.0.x. Thanks!

Comment #37

31 August 2015 at 07:11

alexpott committed 112e9bf on 8.0.x

Issue #2558905 by dawehner, pwolanin, cilefen, plach, willzyx: Content...

Comment #38

14 September 2015 at 07:14

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.