fix(security): validate X-User-Id against trusted owner whitelist to prevent BOLA#2023
fix(security): validate X-User-Id against trusted owner whitelist to prevent BOLA#2023namann5 wants to merge 3 commits into
Conversation
…prevent BOLA The X-User-Id header that scopes all data access (vault secrets, tasks, findings, reports) was accepted without verification, allowing any caller with the shared API key to read another workspace's data by spoofing the header. This fix adds a configurable trusted_owner_ids whitelist: - Empty (default): X-User-Id is ignored, all requests use DEFAULT_OWNER_ID - Populated: only listed owner IDs are accepted; others fall back to default Resolves: utksh1#2021
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1039bc24df
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
utksh1
left a comment
There was a problem hiding this comment.
A whitelist does not fix this BOLA: any client holding the shared API key can still send X-User-Id: team-alpha and impersonate that listed owner. Please bind owner identity to an authenticated principal or a cryptographically verified trusted-proxy assertion; do not accept a client-controlled ownership header as authorization. Add a regression test covering an attacker who sends another allowlisted ID.
…ontrolled whitelist Replace the trusted_owner_ids whitelist approach with trusted-proxy validation. The whitelist was bypassable because any client holding the shared API key could spoof X-User-Id: team-alpha. Now resolve_owner_id() only accepts X-User-Id when request.client.host is in settings.trusted_proxies. This binds owner identity to an authenticated infrastructure component (reverse proxy / SSO layer) rather than trusting a client-controlled header. Changes: - auth.py: Add _is_trusted_proxy(), validate source before accepting header - test_auth_owner_resolution.py: Add proxy-based tests + attacker regression test - test_auth_helpers.py: Update tests for trusted-proxy model - conftest.py: Add 'testclient' to trusted_proxies for integration tests
|
@utksh1 |
Summary
Fixes a Critical (CVSS ~9.8) Broken Object-Level Authorization (BOLA) vulnerability where the
X-User-Idheader — which scopes all data access (vault secrets, tasks, findings, reports) — was accepted without verification. Any client possessing the shared API key could exfiltrate every other workspace's data by spoofing this header.Fixes: #2021
Changes
Root Cause
backend/secuscan/auth.py:239-245—resolve_owner_id()trusted theX-User-Idheader at face value with no server-side validation. This header flows into every data query asowner_id, meaning an attacker could read any workspace's vault secrets (decrypted to plaintext), tasks, findings, and reports.Fix
backend/secuscan/config.py— Addedtrusted_owner_ids: List[str] = []configuration optionbackend/secuscan/auth.py—resolve_owner_id()now validatesX-User-Idagainst the whitelist:DEFAULT_OWNER_IDconftest.pyfixture withtrusted_owner_ids=["alice", "bob"]Security Impact
X-User-Idvalue acceptedConfiguration
Testing
trusted_owner_ids=["alice", "bob"]main