Skip to content

Commit 9aa5d57

Browse files
rakuy0rakuy0
authored
$lib.axon.urlfile was missing a perms check for adding the nodes, part of SYN-6660 (#3490)
1 parent 197bc8f commit 9aa5d57

File tree

2 files changed

+22
-0
lines changed

2 files changed

+22
-0
lines changed

synapse/lib/stormtypes.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2165,6 +2165,10 @@ async def wput(self, sha256, url, headers=None, params=None, method='PUT', ssl=T
21652165
return await axon.wput(sha256byts, url, headers=headers, params=params, method=method, ssl=ssl, timeout=timeout, **kwargs)
21662166

21672167
async def urlfile(self, *args, **kwargs):
2168+
gateiden = self.runt.snap.wlyr.iden
2169+
self.runt.confirm(('node', 'add', 'file:bytes'), gateiden=gateiden)
2170+
self.runt.confirm(('node', 'add', 'inet:urlfile'), gateiden=gateiden)
2171+
21682172
resp = await self.wget(*args, **kwargs)
21692173
code = resp.get('code')
21702174

synapse/tests/test_lib_stormtypes.py

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5764,6 +5764,11 @@ async def test_storm_lib_axon_perms(self):
57645764

57655765
async with self.getTestCore() as core:
57665766

5767+
mainview = await core.callStorm('return($lib.view.get().iden)')
5768+
forkview = await core.callStorm('return($lib.view.get().fork().iden)')
5769+
5770+
mainlayr = core.getView(mainview).layers[0].iden
5771+
57675772
visi = await core.auth.addUser('visi')
57685773
await visi.setPasswd('secret')
57695774

@@ -5808,11 +5813,24 @@ async def _addfile():
58085813

58095814
# urlfile
58105815

5816+
opts['view'] = mainview
58115817
scmd = 'yield $lib.axon.urlfile($url, ssl=$lib.false) return($node)'
58125818
await self.asyncraises(s_exc.AuthDeny, core.callStorm(scmd, opts=opts))
58135819

58145820
await visi.addRule((True, ('storm', 'lib', 'axon', 'wget')))
5821+
await self.asyncraises(s_exc.AuthDeny, core.callStorm(scmd, opts=opts))
5822+
5823+
await visi.addRule((True, ('node', 'add', 'file:bytes')), gateiden=mainlayr)
5824+
await self.asyncraises(s_exc.AuthDeny, core.callStorm(scmd, opts=opts))
5825+
5826+
await visi.addRule((True, ('node', 'add', 'inet:urlfile')), gateiden=mainlayr)
58155827
self.nn(await core.callStorm(scmd, opts=opts))
5828+
5829+
# won't work in another view
5830+
opts['view'] = forkview
5831+
await self.asyncraises(s_exc.AuthDeny, core.callStorm(scmd, opts=opts))
5832+
opts.pop('view')
5833+
58165834
await visi.delRule((True, ('storm', 'lib', 'axon', 'wget')))
58175835

58185836
await visi.addRule((True, ('axon', 'wget')))

0 commit comments

Comments
 (0)