fix: enforce opengraph permissions on custom node kind endpoints#2911
fix: enforce opengraph permissions on custom node kind endpoints#2911itxaiohanglover wants to merge 2 commits into
Conversation
|
I have read the CLA Document and I hereby sign the CLA You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughIn ChangesCustom Node Management Authorization
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
superlinkx
left a comment
There was a problem hiding this comment.
The code would be good to merge. @itxaiohanglover would you mind making a comment with the CLA accept text that the bot asked for? We don't modify the signatures directly and need the comment id to be established for tracking. I'm working internally to get this prioritized for merging and we'll reach out if we need anything more from your end.
Thanks for the patch submission!
Problem
The custom node kind management endpoints (
POST /api/v2/custom-nodes,PUT /api/v2/custom-nodes/{kind_name},DELETE /api/v2/custom-nodes/{kind_name}) only required authentication (RequireAuth()) rather than theopengraph:Writepermission enforced by the sibling graph-schema endpoints. Any authenticated user — including those with the lowest-privilege Read-Only role — could create, modify, or delete custom node types, which are global graph schema entries shared across all users and tenants of the BloodHound instance.The
opengraph:Writepermission (permissions.OpenGraphWrite) is assigned exclusively to the Administrator role (cmd/api/src/auth/role.go, viapermissions.All()). The Read-Only, User, Power User, Auditor, and Upload-Only roles do not hold this permission, but the custom-node write operations bypassed this check entirely.This is a privilege escalation vulnerability: a low-privilege integration account (e.g., a Read-Only or Upload-Only role used by an automated collector) could escalate its capability to global schema administration — polluting the graph schema, deleting administrator-created custom node kinds, or modifying their configuration.
What changed
In
cmd/api/src/api/registration/v2.go(lines 359-363), replacedRequireAuth()with the appropriateRequirePermissions()checks on all five custom-node endpoints, matching the pattern already used by the sibling Open Graph Schema (/api/v2/extensions) endpoints:GET /api/v2/custom-nodesRequireAuth()RequirePermissions(permissions.OpenGraphRead)GET /api/v2/custom-nodes/{kind_name}RequireAuth()RequirePermissions(permissions.OpenGraphRead)POST /api/v2/custom-nodesRequireAuth()RequirePermissions(permissions.OpenGraphWrite)PUT /api/v2/custom-nodes/{kind_name}RequireAuth()RequirePermissions(permissions.OpenGraphWrite)DELETE /api/v2/custom-nodes/{kind_name}RequireAuth()RequirePermissions(permissions.OpenGraphWrite)Read endpoints are gated with
OpenGraphReadand write endpoints withOpenGraphWrite, consistent with howGET /api/v2/extensionsusesOpenGraphReadandPUT/DELETE /api/v2/extensionsuseOpenGraphWrite. No handler logic was modified — only route-level authorization middleware was tightened.Validation
/api/v2/extensionsendpoints.opengraph:Write(viapermissions.All()incmd/api/src/auth/role.go), so non-admin users will now receive a 403 on the write endpoints instead of succeeding.Fixes #2910
Summary by CodeRabbit