Security considerations (#259) · Issues · gargantext / haskell-gargantext

Security considerations

I want to call your attention to security issues in gargantext.

Namely, any authenticated user can make http/graphql requests for any node/user/whatever.

For example, I'm logged in locally as user1. Then, as user2 I have ID 12. Look what happens:

curl -H 'Authorization: Bearer ...' http://localhost:8008/api/v1.0/12

{"id":12,"hash_id":"\\xa6859e7e819bc48aa3e8093f77947cba17d7efad4138d6361cc8778633da0a82","typename":1,"user_id":3,"parent_id":null,"name":"user2","date":"2023-07-27T09:09:21.290532Z","hyperdata":{"private":{"lang":"EN","password":"password"},"shared":{"where":[{"office":"Office","exit":"0001-01-31T00:00:00Z","organization":["Organization X"],"labTeamDepts":["Lab Z"],"country":"Country","entry":"0001-01-31T00:00:00Z","role":"Role","city":"City","touch":{"phone":"+336 328 283 288","url":"https://url.com","mail":"email@data.com"}}],"lastValidation":"TODO lastValidation date","bdd":"bdd","title":"Title","uniqId":"DO NOT expose this","who":{"freetags":[],"lastName":"Dupont","keywords":[],"firstName":"Pierre"},"uniqIdBdd":"DO NOT expose this","source":"Source"},"pubmed_api_key":"test-user2","public":{"publications":[1,2,3,4,5,6,7,8,9,10],"pseudo":"pseudo"}}}

So I fetched sensitive data for that user (email, name).

Now let's get his nodes:

curl -H 'Authorization: Bearer ...' http://localhost:8008/api/v1.0/tree/12/first-level

{"node":{"name":"user2","type":"NodeUser","id":12},"children":[{"node":{"name":"Public","type":"NodeFolderPublic","id":15},"children":[]},{"node":{"name":"Share","type":"NodeFolderShared","id":14},"children":[]},{"node":{"name":"Private","type":"NodeFolderPrivate","id":13},"children":[{"node":{"name":"corpus-user2","type":"NodeCorpus","id":97},"children":[{"node":{"name":"Notes","type":"Notes","id":98},"children":[]}]}]}]}

Interesting, a corpus with notes, let's dig deeper:

curl -H 'Authorization: Bearer ...' http://localhost:8008/api/v1.0/node/98

{"id":98,"hash_id":"\\xf4f0f6f76693072e64cb6ccfe88feed391188f7f6cea3b3571ec96b62fa7c1c6","typename":991,"user_id":3,"parent_id":97,"name":"Notes","date":"2023-08-08T02:56:45.492797Z","hyperdata":{"frame_id":"883ed74df733399f9a2002e062724cf33b63fd6313ffdeb6aedb0cac2e5156fb","base":"http://write.frame.gargantext.org"}}

So I got his "secred" frame id and I can write/read his notes.

We do have User datatype in G.C.T.Individu. We also have some access checking in G.A.A.Auth. This is used in G.A.Node in nodeNodeAPI for example. But it only checks whether the user is logged in, not if he's allowed to view the resource.

Any ideas on how to secure this, preferably on type level?

@anoe @AlfredoDiNapoli

I want to call your attention to security issues in gargantext.

Namely, any authenticated user can make http/graphql requests for any node/user/whatever.

For example, I'm logged in locally as `user1`. Then, as `user2` I have ID 12. Look what happens:

```
curl -H 'Authorization: Bearer ...' http://localhost:8008/api/v1.0/12
```

```json
{"id":12,"hash_id":"\\xa6859e7e819bc48aa3e8093f77947cba17d7efad4138d6361cc8778633da0a82","typename":1,"user_id":3,"parent_id":null,"name":"user2","date":"2023-07-27T09:09:21.290532Z","hyperdata":{"private":{"lang":"EN","password":"password"},"shared":{"where":[{"office":"Office","exit":"0001-01-31T00:00:00Z","organization":["Organization X"],"labTeamDepts":["Lab Z"],"country":"Country","entry":"0001-01-31T00:00:00Z","role":"Role","city":"City","touch":{"phone":"+336 328 283 288","url":"https://url.com","mail":"email@data.com"}}],"lastValidation":"TODO lastValidation date","bdd":"bdd","title":"Title","uniqId":"DO NOT expose this","who":{"freetags":[],"lastName":"Dupont","keywords":[],"firstName":"Pierre"},"uniqIdBdd":"DO NOT expose this","source":"Source"},"pubmed_api_key":"test-user2","public":{"publications":[1,2,3,4,5,6,7,8,9,10],"pseudo":"pseudo"}}}
```

So I fetched sensitive data for that user (email, name).

Now let's get his nodes:
```
curl -H 'Authorization: Bearer ...' http://localhost:8008/api/v1.0/tree/12/first-level
```

```json
{"node":{"name":"user2","type":"NodeUser","id":12},"children":[{"node":{"name":"Public","type":"NodeFolderPublic","id":15},"children":[]},{"node":{"name":"Share","type":"NodeFolderShared","id":14},"children":[]},{"node":{"name":"Private","type":"NodeFolderPrivate","id":13},"children":[{"node":{"name":"corpus-user2","type":"NodeCorpus","id":97},"children":[{"node":{"name":"Notes","type":"Notes","id":98},"children":[]}]}]}]}
```

Interesting, a corpus with notes, let's dig deeper:

```
curl -H 'Authorization: Bearer ...' http://localhost:8008/api/v1.0/node/98
```

```json
{"id":98,"hash_id":"\\xf4f0f6f76693072e64cb6ccfe88feed391188f7f6cea3b3571ec96b62fa7c1c6","typename":991,"user_id":3,"parent_id":97,"name":"Notes","date":"2023-08-08T02:56:45.492797Z","hyperdata":{"frame_id":"883ed74df733399f9a2002e062724cf33b63fd6313ffdeb6aedb0cac2e5156fb","base":"http://write.frame.gargantext.org"}}
```

So I got his "secred" frame id and I can write/read his notes.

We do have `User` datatype in `G.C.T.Individu`. We also have some access checking in `G.A.A.Auth`. This is used in `G.A.Node` in `nodeNodeAPI` for example. But it only checks whether the user is logged in, not if he's allowed to view the resource.

Any ideas on how to secure this, preferably on type level?

@anoe @AlfredoDiNapoli