Skip to content

Authentication Bypass in GraphQL Queries for Users/Tokens Lacking Permissions #16292

New issue
New issue
Closed
#17244
Closed
Authentication Bypass in GraphQL Queries for Users/Tokens Lacking Permissions#16292
#17244
Assignees
DanSheps
Labels
severity: highCompletely breaks certain functions, or substantially degrades performance application-widestatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application
@kiraum

Description

@kiraum
kiraum
opened on May 24, 2024

Deployment Type

Self-hosted

NetBox Version

v4.0.3

Python Version

3.11

Steps to Reproduce

Test user does not have any permissions associated with it (I am using the admin token to make the query):

% curl -s -H "Authorization: Token 28a079fb8aa5e107583583dbeb7deb027121a15a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/users/\?username\=test | jq -r '.results[] | .username, .permissions'
test
[]

Test user token:

% curl -s -H "Authorization: Token 28a079fb8aa5e107583583dbeb7deb027121a15a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/tokens/ | jq -r '.results[] | select(.user.username == "test") | .user.username, .key'
test
4f745a0b1c13168c95883ee004f17df7ef96e42a

Now using the test user token without any permissions via Graphql:

% curl -s -H "Authorization: Token 4f745a0b1c13168c95883ee004f17df7ef96e42a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/graphql/ \
--data '{"query": "query {asn(id:1) {asn}}"}'
{"data": {"asn": {"asn": 666}}}%
% curl -s -H "Authorization: Token 4f745a0b1c13168c95883ee004f17df7ef96e42a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/graphql/ \
--data '{"query": "query {provider(id:1) {name}}"}'
{"data": {"provider": {"name": "test-p"}}}%

In my understanding, if a user/token has no permissions, it should reject by default.

Version:

% curl -s -H "Authorization: Token 28a079fb8aa5e107583583dbeb7deb027121a15a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/status/ | jq -r '.'
{
  "django-version": "5.0.6",
  "installed-apps": {
    "debug_toolbar": "4.3.0",
    "django_filters": "24.2",
    "django_prometheus": "2.3.1",
    "django_rq": "2.10.2",
    "django_tables2": "2.7.0",
    "drf_spectacular": "0.27.2",
    "drf_spectacular_sidecar": "2024.5.1",
    "mptt": "0.16.0",
    "rest_framework": "3.15.1",
    "social_django": "5.4.1",
    "taggit": "5.0.1",
    "timezone_field": "6.1.0"
  },
  "netbox-version": "4.0.3",
  "plugins": {},
  "python-version": "3.11.6",
  "rq-workers-running": 2
}

This may be related with the issue#16228.

Expected Behavior

The system should reject GraphQL queries from users or tokens that do not have the necessary permissions.

Observed Behavior

During testing, it was discovered that if a user or token lacks permissions, the system does not enforce authentication for GraphQL queries. This was observed using a test user with no permissions, where GraphQL queries still returned sensitive data.

GraphQL queries are processed and data is returned even when the user or token has no permissions.

Further investigation is needed to confirm the scope and cause of the authentication bypass. Additional details will be provided upon request.

Metadata

Metadata

Assignees

Labels

severity: highCompletely breaks certain functions, or substantially degrades performance application-widestatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions