]> BookStack Code Mirror - bookstack/commitdiff
projects / bookstack / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: 867cbe1)
Addressed user detail harvesting issue
authorDan Brown <redacted>
Tue, 14 Dec 2021 18:47:22 +0000 (18:47 +0000)
committerDan Brown <redacted>
Tue, 14 Dec 2021 18:47:22 +0000 (18:47 +0000)
Altered access & usage of the /search/users/select endpoint with the
following changes:
- Removed searching of email address to prevent email detail discovery
  via hunting via search queries.
- Required the user to be logged in and have permission to manage users
  or manage permissions on items in some way.
- Removed the user migration option on user delete unless they have
  permission to manage users.

For #3108
Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/
Reported by @haxatron

app/Auth/UserRepo.php patch | blob | history
app/Http/Controllers/UserSearchController.php patch | blob | history
resources/views/users/delete.blade.php patch | blob | history
tests/User/UserManagementTest.php patch | blob | history
tests/User/UserSearchTest.php [new file with mode: 0644] patch | blob

diff --git a/app/Auth/UserRepo.php b/app/Auth/UserRepo.php
index 6d48f12402060edbbe56f5660301dc1183ca5dcc..84002b7f7a5b720fc8be550bbce2cfb72b88022f 100644 (file)
--- a/app/Auth/UserRepo.php
+++ b/app/Auth/UserRepo.php
@@ -63,13 +63,16 @@ class UserRepo
 
     /**
      * Get all the users with their permissions in a paginated format.
 
     /**
      * Get all the users with their permissions in a paginated format.
+     * Note: Due to the use of email search this should only be used when
+     * user is assumed to be trusted. (Admin users).
+     * Email search can be abused to extract email addresses.
      */
     public function getAllUsersPaginatedAndSorted(int $count, array $sortData): LengthAwarePaginator
     {
         $sort = $sortData['sort'];
 
         $query = User::query()->select(['*'])
      */
     public function getAllUsersPaginatedAndSorted(int $count, array $sortData): LengthAwarePaginator
     {
         $sort = $sortData['sort'];
 
         $query = User::query()->select(['*'])
-            ->withLastActivityAt()
+            ->scopes(['withLastActivityAt'])
             ->with(['roles', 'avatar'])
             ->withCount('mfaValues')
             ->orderBy($sort, $sortData['order']);
             ->with(['roles', 'avatar'])
             ->withCount('mfaValues')
             ->orderBy($sort, $sortData['order']);
diff --git a/app/Http/Controllers/UserSearchController.php b/app/Http/Controllers/UserSearchController.php
index f7ed9e57a94d1527ac98edd99aa32bf658424e46..1a37ca491dc00bbaf6cff29befa2792dc3c1bdbe 100644 (file)
--- a/app/Http/Controllers/UserSearchController.php
+++ b/app/Http/Controllers/UserSearchController.php
@@ -3,7 +3,6 @@
 namespace BookStack\Http\Controllers;
 
 use BookStack\Auth\User;
 namespace BookStack\Http\Controllers;
 
 use BookStack\Auth\User;
-use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Http\Request;
 
 class UserSearchController extends Controller
 use Illuminate\Http\Request;
 
 class UserSearchController extends Controller
@@ -14,19 +13,27 @@ class UserSearchController extends Controller
      */
     public function forSelect(Request $request)
     {
      */
     public function forSelect(Request $request)
     {
+        $hasPermission = signedInUser() && (
+                   userCan('users-manage')
+                || userCan('restrictions-manage-own')
+                || userCan('restrictions-manage-all')
+        );
+
+        if (!$hasPermission) {
+            $this->showPermissionError();
+        }
+
         $search = $request->get('search', '');
         $search = $request->get('search', '');
-        $query = User::query()->orderBy('name', 'desc')
+        $query = User::query()
+            ->orderBy('name', 'asc')
             ->take(20);
 
         if (!empty($search)) {
             ->take(20);
 
         if (!empty($search)) {
-            $query->where(function (Builder $query) use ($search) {
-                $query->where('email', 'like', '%' . $search . '%')
-                    ->orWhere('name', 'like', '%' . $search . '%');
-            });
+            $query->where('name', 'like', '%' . $search . '%');
         }
 
         }
 
-        $users = $query->get();
-
-        return view('form.user-select-list', compact('users'));
+        return view('form.user-select-list', [
+            'users' => $query->get(),
+        ]);
     }
 }
     }
 }
diff --git a/resources/views/users/delete.blade.php b/resources/views/users/delete.blade.php
index aea4d7954543b3a138f88bf6fb0ce56de0f2300d..490e9d6c5aa979cf07f8267f043afddb066a1fb8 100644 (file)
--- a/resources/views/users/delete.blade.php
+++ b/resources/views/users/delete.blade.php
@@ -12,17 +12,19 @@
 
             <p>{{ trans('settings.users_delete_warning', ['userName' => $user->name]) }}</p>
 
 
             <p>{{ trans('settings.users_delete_warning', ['userName' => $user->name]) }}</p>
 
-            <hr class="my-l">
-
-            <div class="grid half gap-xl v-center">
-                <div>
-                    <label class="setting-list-label">{{ trans('settings.users_migrate_ownership') }}</label>
-                    <p class="small">{{ trans('settings.users_migrate_ownership_desc') }}</p>
+            @if(userCan('users-manage'))
+                <hr class="my-l">
+
+                <div class="grid half gap-xl v-center">
+                    <div>
+                        <label class="setting-list-label">{{ trans('settings.users_migrate_ownership') }}</label>
+                        <p class="small">{{ trans('settings.users_migrate_ownership_desc') }}</p>
+                    </div>
+                    <div>
+                        @include('form.user-select', ['name' => 'new_owner_id', 'user' => null, 'compact' => false])
+                    </div>
                 </div>
                 </div>
-                <div>
-                    @include('form.user-select', ['name' => 'new_owner_id', 'user' => null, 'compact' => false])
-                </div>
-            </div>
+            @endif
 
             <hr class="my-l">
 
 
             <hr class="my-l">
 
diff --git a/tests/User/UserManagementTest.php b/tests/User/UserManagementTest.php
index 5a36b85df6f9d4f1fde0b8eb932eaf9afa0a7cf6..94970df4fe5b800eafb39ca6a3617ed6b6a7e6f2 100644 (file)
--- a/tests/User/UserManagementTest.php
+++ b/tests/User/UserManagementTest.php
@@ -130,6 +130,21 @@ class UserManagementTest extends TestCase
         $resp->assertSee('new_owner_id');
     }
 
         $resp->assertSee('new_owner_id');
     }
 
+    public function test_migrate_option_hidden_if_user_cannot_manage_users()
+    {
+        $editor = $this->getEditor();
+
+        $resp = $this->asEditor()->get("settings/users/{$editor->id}/delete");
+        $resp->assertDontSee('Migrate Ownership');
+        $resp->assertDontSee('new_owner_id');
+
+        $this->giveUserPermissions($editor, ['users-manage']);
+
+        $resp = $this->asEditor()->get("settings/users/{$editor->id}/delete");
+        $resp->assertSee('Migrate Ownership');
+        $resp->assertSee('new_owner_id');
+    }
+
     public function test_delete_with_new_owner_id_changes_ownership()
     {
         $page = Page::query()->first();
     public function test_delete_with_new_owner_id_changes_ownership()
     {
         $page = Page::query()->first();
diff --git a/tests/User/UserSearchTest.php b/tests/User/UserSearchTest.php
new file mode 100644 (file)
index 0000000..1bf3f2d
--- /dev/null
+++ b/tests/User/UserSearchTest.php
@@ -0,0 +1,68 @@
+<?php
+
+namespace Tests\User;
+
+use BookStack\Auth\User;
+use Tests\TestCase;
+
+class UserSearchTest extends TestCase
+{
+
+    public function test_select_search_matches_by_name()
+    {
+        $viewer = $this->getViewer();
+        $admin = $this->getAdmin();
+        $resp = $this->actingAs($admin)->get('/search/users/select?search=' . urlencode($viewer->name));
+
+        $resp->assertOk();
+        $resp->assertSee($viewer->name);
+        $resp->assertDontSee($admin->name);
+    }
+
+    public function test_select_search_shows_first_by_name_without_search()
+    {
+        /** @var User $firstUser */
+        $firstUser = User::query()->orderBy('name', 'desc')->first();
+        $resp = $this->asAdmin()->get('/search/users/select');
+
+        $resp->assertOk();
+        $resp->assertSee($firstUser->name);
+    }
+
+    public function test_select_search_does_not_match_by_email()
+    {
+        $viewer = $this->getViewer();
+        $editor = $this->getEditor();
+        $resp = $this->actingAs($editor)->get('/search/users/select?search=' . urlencode($viewer->email));
+
+        $resp->assertDontSee($viewer->name);
+    }
+
+    public function test_select_requires_right_permission()
+    {
+        $permissions = ['users-manage', 'restrictions-manage-own', 'restrictions-manage-all'];
+        $user = $this->getViewer();
+
+        foreach ($permissions as $permission) {
+            $resp = $this->actingAs($user)->get('/search/users/select?search=a');
+            $this->assertPermissionError($resp);
+
+            $this->giveUserPermissions($user, [$permission]);
+            $resp = $this->actingAs($user)->get('/search/users/select?search=a');
+            $resp->assertOk();
+            $user->roles()->delete();
+            $user->clearPermissionCache();
+        }
+    }
+
+    public function test_select_requires_logged_in_user()
+    {
+        $this->setSettings(['app-public' => true]);
+        $defaultUser = User::getDefault();
+        $this->giveUserPermissions($defaultUser, ['users-manage']);
+
+        $resp = $this->get('/search/users/select?search=a');
+        $this->assertPermissionError($resp);
+    }
+
+}
\ No newline at end of file
The core source code for the BookStack project.