Patched security hole with posting acls

jaxoncreed · jaxoncreed · commit 3a1f9954f833 · 2020-04-10T22:12:19.000-04:00
diff --git a/lib/acl-checker.js b/lib/acl-checker.js
@@ -26,6 +26,7 @@ class ACLChecker {
     this.aclCached = {}
     this.messagesCached = {}
     this.requests = {}
+    this.slug = options.slug
   }
 
   // Returns a fulfilled promise when the user can access the resource
@@ -49,7 +50,7 @@ class ACLChecker {
       resource = rdf.sym(ACLChecker.getDirectory(this.resource))
     }
     // If this is an ACL, Control mode must be present for any operations
-    if (this.isAcl(this.resource)) {
+    if (this.isAcl(this.resource) || this.isAcl(decodeURIComponent(this.slug))) {
       mode = 'Control'
       resource = rdf.sym(this.resource.substring(0, this.resource.length - this.suffix.length))
     }
@@ -167,7 +168,8 @@ class ACLChecker {
       },
       suffix: ldp.suffixAcl,
       strictOrigin: ldp.strictOrigin,
-      trustedOrigins
+      trustedOrigins,
+      slug: req.headers['slug']
     })
   }
 }
diff --git a/test/integration/acl-oidc-test.js b/test/integration/acl-oidc-test.js
@@ -545,6 +545,16 @@ describe('ACL with WebID+OIDC over HTTP', function () {
         done()
       })
     })
+    it('user2 should not be able able to post an acl file', function (done) {
+      var options = createOptions('/append-acl/abc.ttl.acl', 'user2', 'text/turtle')
+      options.body = '<a> <b> <c> .\n'
+      request.put(options, function (error, response, body) {
+        assert.equal(error, null)
+        assert.equal(response.statusCode, 403)
+        assert.equal(response.statusMessage, 'User Unauthorized')
+        done()
+      })
+    })
     it('user2 should not be able to access test file', function (done) {
       var options = createOptions('/append-acl/abc.ttl', 'user2', 'text/turtle')
       request.head(options, function (error, response, body) {
diff --git a/test/integration/header-test.js b/test/integration/header-test.js
@@ -61,7 +61,9 @@ describe('Header handler', () => {
       // Retrieve the response headers
       let response = {}
       before(async () => {
+        console.log('before')
         const { headers } = await request.get(resource)
+        console.log('after')
         response.headers = headers
       })
 

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ class ACLChecker {`
`26`	`26`	`this.aclCached = {}`
`27`	`27`	`this.messagesCached = {}`
`28`	`28`	`this.requests = {}`
	`29`	`+ this.slug = options.slug`
`29`	`30`	`}`
`30`	`31`
`31`	`32`	`// Returns a fulfilled promise when the user can access the resource`
`@@ -49,7 +50,7 @@ class ACLChecker {`
`49`	`50`	`resource = rdf.sym(ACLChecker.getDirectory(this.resource))`
`50`	`51`	`}`
`51`	`52`	`// If this is an ACL, Control mode must be present for any operations`
`52`		`- if (this.isAcl(this.resource)) {`
	`53`	`+ if (this.isAcl(this.resource) \|\| this.isAcl(decodeURIComponent(this.slug))) {`
`53`	`54`	`mode = 'Control'`
`54`	`55`	`resource = rdf.sym(this.resource.substring(0, this.resource.length - this.suffix.length))`
`55`	`56`	`}`
`@@ -167,7 +168,8 @@ class ACLChecker {`
`167`	`168`	`},`
`168`	`169`	`suffix: ldp.suffixAcl,`
`169`	`170`	`strictOrigin: ldp.strictOrigin,`
`170`		`- trustedOrigins`
	`171`	`+ trustedOrigins,`
	`172`	`+ slug: req.headers['slug']`
`171`	`173`	`})`
`172`	`174`	`}`
`173`	`175`	`}`