Skip to content

fix: enforce opengraph permissions on custom node kind endpoints#2911

Open
itxaiohanglover wants to merge 2 commits into
SpecterOps:mainfrom
itxaiohanglover:fix/custom-nodes-authorization
Open

fix: enforce opengraph permissions on custom node kind endpoints#2911
itxaiohanglover wants to merge 2 commits into
SpecterOps:mainfrom
itxaiohanglover:fix/custom-nodes-authorization

Conversation

@itxaiohanglover

@itxaiohanglover itxaiohanglover commented Jun 20, 2026

Copy link
Copy Markdown

Problem

The custom node kind management endpoints (POST /api/v2/custom-nodes, PUT /api/v2/custom-nodes/{kind_name}, DELETE /api/v2/custom-nodes/{kind_name}) only required authentication (RequireAuth()) rather than the opengraph:Write permission enforced by the sibling graph-schema endpoints. Any authenticated user — including those with the lowest-privilege Read-Only role — could create, modify, or delete custom node types, which are global graph schema entries shared across all users and tenants of the BloodHound instance.

The opengraph:Write permission (permissions.OpenGraphWrite) is assigned exclusively to the Administrator role (cmd/api/src/auth/role.go, via permissions.All()). The Read-Only, User, Power User, Auditor, and Upload-Only roles do not hold this permission, but the custom-node write operations bypassed this check entirely.

This is a privilege escalation vulnerability: a low-privilege integration account (e.g., a Read-Only or Upload-Only role used by an automated collector) could escalate its capability to global schema administration — polluting the graph schema, deleting administrator-created custom node kinds, or modifying their configuration.

What changed

In cmd/api/src/api/registration/v2.go (lines 359-363), replaced RequireAuth() with the appropriate RequirePermissions() checks on all five custom-node endpoints, matching the pattern already used by the sibling Open Graph Schema (/api/v2/extensions) endpoints:

Endpoint Before After
GET /api/v2/custom-nodes RequireAuth() RequirePermissions(permissions.OpenGraphRead)
GET /api/v2/custom-nodes/{kind_name} RequireAuth() RequirePermissions(permissions.OpenGraphRead)
POST /api/v2/custom-nodes RequireAuth() RequirePermissions(permissions.OpenGraphWrite)
PUT /api/v2/custom-nodes/{kind_name} RequireAuth() RequirePermissions(permissions.OpenGraphWrite)
DELETE /api/v2/custom-nodes/{kind_name} RequireAuth() RequirePermissions(permissions.OpenGraphWrite)

Read endpoints are gated with OpenGraphRead and write endpoints with OpenGraphWrite, consistent with how GET /api/v2/extensions uses OpenGraphRead and PUT/DELETE /api/v2/extensions use OpenGraphWrite. No handler logic was modified — only route-level authorization middleware was tightened.

Validation

  • Verified the route registration now mirrors the permission pattern of the sibling /api/v2/extensions endpoints.
  • Only the Administrator role holds opengraph:Write (via permissions.All() in cmd/api/src/auth/role.go), so non-admin users will now receive a 403 on the write endpoints instead of succeeding.
  • Confirmed no other endpoints in the file were affected; the diff is limited to the five custom-node route registrations.

Fixes #2910

Summary by CodeRabbit

  • Chores
    • Updated authorization requirements for Custom Node Management API endpoints.
    • Read operations now require OpenGraphRead permission.
    • Write operations now require OpenGraphWrite permission.

@github-actions

Copy link
Copy Markdown


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 4acf46c8-419c-466c-b1a9-f57206ba87f7

📥 Commits

Reviewing files that changed from the base of the PR and between 92f888b and e7e8475.

📒 Files selected for processing (1)
  • cmd/api/src/api/registration/v2.go

📝 Walkthrough

Walkthrough

In NewV2API, the five Custom Node Management routes are updated from RequireAuth() to RequirePermissions(...): the two GET endpoints now require permissions.OpenGraphRead, and the POST, PUT, and DELETE endpoints now require permissions.OpenGraphWrite. Route paths and handler functions are unchanged.

Changes

Custom Node Management Authorization

Layer / File(s) Summary
Custom Node route authorization upgrade
cmd/api/src/api/registration/v2.go
GET /api/v2/custom-nodes and GET /api/v2/custom-nodes/{kind_name} now require OpenGraphRead; POST, PUT /api/v2/custom-nodes/{kind_name}, and DELETE /api/v2/custom-nodes/{kind_name} now require OpenGraphWrite, replacing the prior RequireAuth() on all five routes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: enforcing opengraph permissions on custom node kind endpoints, which is the core fix addressing the privilege escalation vulnerability.
Description check ✅ Passed The PR description comprehensively covers the problem, solution, and validation. It includes detailed context on the vulnerability, explains the changes made with a comparison table, and validates the fix against the sibling endpoints pattern.
Linked Issues check ✅ Passed The code changes fully address all objectives from issue #2910: permission-based authorization is enforced on all five custom-node endpoints (GET, GET by ID, POST, PUT, DELETE) with OpenGraphRead for reads and OpenGraphWrite for writes, matching the sibling /api/v2/extensions pattern and restricting write operations to Administrators only.
Out of Scope Changes check ✅ Passed All changes are strictly in-scope: only the five custom-node route registrations were modified to replace RequireAuth() with appropriate RequirePermissions() checks. No handler logic was altered and no unrelated files were changed.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@superlinkx superlinkx left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code would be good to merge. @itxaiohanglover would you mind making a comment with the CLA accept text that the bot asked for? We don't modify the signatures directly and need the comment id to be established for tracking. I'm working internally to get this prioritized for merging and we'll reach out if we need anything more from your end.

Thanks for the patch submission!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: Missing Authorization on Custom Node Kind Management API Allows Any Authenticated User to Modify Global Graph Schema

2 participants