From 97aaff1b2f878ae1cf7dc4be23d0b38ff20b1f05 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 18 Jan 2024 12:10:06 +0100 Subject: [PATCH] usershareprovider: Prevent setting container specific permissions on files It was possible to set the 'CreateContainer', 'Move' or 'Delete' permissions on file resources with a CreateShare request. These permissions are meant to be only set on container resources. The UpdateShare request already has a similar check. Parial Fix: https://github.com/owncloud/ocis/issues/8131 --- changelog/unreleased/fix-create-share-precheck.md | 8 ++++++++ .../services/usershareprovider/usershareprovider.go | 10 +++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/fix-create-share-precheck.md diff --git a/changelog/unreleased/fix-create-share-precheck.md b/changelog/unreleased/fix-create-share-precheck.md new file mode 100644 index 00000000000..3b7f800c525 --- /dev/null +++ b/changelog/unreleased/fix-create-share-precheck.md @@ -0,0 +1,8 @@ +Bugfix: Prevent setting container specific permissions on files + +It was possible to set the 'CreateContainer', 'Move' or 'Delete' permissions on +file resources with a CreateShare request. These permissions are meant to be only +set on container resources. The UpdateShare request already has a similar check. + +https://github.com/cs3org/reva/pull/xxxx +https://github.com/owncloud/ocis/issues/8131 diff --git a/internal/grpc/services/usershareprovider/usershareprovider.go b/internal/grpc/services/usershareprovider/usershareprovider.go index 6efc53a59a5..0710d007864 100644 --- a/internal/grpc/services/usershareprovider/usershareprovider.go +++ b/internal/grpc/services/usershareprovider/usershareprovider.go @@ -198,7 +198,7 @@ func (s *service) CreateShare(ctx context.Context, req *collaboration.CreateShar Status: status.NewPermissionDenied(ctx, nil, "no permission to add grants on shared resource"), }, err } - // check if the requested share creation has sufficient permissions to do so. + // check if the share creator has sufficient permissions to do so. if shareCreationAllowed := conversions.SufficientCS3Permissions( sRes.GetInfo().GetPermissionSet(), req.GetGrant().GetPermissions().GetPermissions(), @@ -207,6 +207,14 @@ func (s *service) CreateShare(ctx context.Context, req *collaboration.CreateShar Status: status.NewPermissionDenied(ctx, nil, "insufficient permissions to create that kind of share"), }, nil } + // check if the requested permission are plausible for the Resource + if sRes.GetInfo().GetType() == provider.ResourceType_RESOURCE_TYPE_FILE { + if newPermissions := req.GetGrant().GetPermissions().GetPermissions(); newPermissions.GetCreateContainer() || newPermissions.GetMove() || newPermissions.GetDelete() { + return &collaboration.CreateShareResponse{ + Status: status.NewInvalid(ctx, "cannot set the requested permissions on that type of resource"), + }, nil + } + } if !s.isPathAllowed(req.GetResourceInfo().GetPath()) { return &collaboration.CreateShareResponse{