security: Enforce candidate/attachment access checks and centralize authorization logic#828
security: Enforce candidate/attachment access checks and centralize authorization logic#828RussH wants to merge 1 commit into
Conversation
|
@mattmumford-git could you take a look onto this? Will this solve your advisories? I also suggest to create one big advisory instead of multiple smaller ones as they will like not get assigned multiple CVEs. |
|
Thanks for taking a look at this. At a high level, yes, centralising the candidate and attachment authorization logic sounds like the right approach and should address the reports I submitted, provided the checks are enforced before each object read/write/delete action rather than only in the UI flow. The key things that would need validating are:
On the advisory structure, that makes sense. I reported them separately to keep the individual impact and proof of concept for each endpoint clear, but I’m happy for the project to consolidate them into one broader advisory for the hidden-candidate object authorization class if that fits the project and CVE process better. |
Motivation
Description
lib/CandidateAuthorization.phpprovidinggetCandidate,canAccessCandidate,getAttachment, andcanAccessCandidateAttachmenthelpers for candidate and attachment access validation.modules/attachments/AttachmentsUI.phpto validate access to candidate attachments viaCandidateAuthorization::canAccessCandidateAttachmentbefore serving files.modules/candidates/CandidatesUI.phpto includeCandidateAuthorizationand add helper methodsenforceCandidateHiddenAccessandenforceAttachmentCandidateHiddenAccess, and use them throughout (edit, delete, add/remove pipeline, activities, tags, attachment create/delete, resume view, questionnaires, image/attachment modals, duplicate handling, etc.) to validate access and fail with a permission error when needed.modules/companies/CompaniesUI.phpto add helpersgetCompanyForActionandgetCompanyAttachmentForActionto validate company and company-attachment inputs used by attachment endpoints.modules/lists/ajax/addToLists.phpto check candidate access for items being added to saved lists when thedataItemTypeisDATA_ITEM_CANDIDATE.Testing
php -l) on the modified files to ensure no syntax errors were introduced; no syntax errors reported.Codex Task