Uploaded image for project: 'Fedora Repository Project'
  1. Fedora Repository Project
  2. FCREPO-1889

Direct/Indirect Containers allow writing arbitrary triples to any resource, despite access controls

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: Fedora 4.5.0
    • Fix Version/s: None
    • Component/s: f4-auth
    • Labels:

      Description

      In a thought experiment, it is anticipated that by manipulating direct and indirect containers, it would allow an attacker to create arbitrary triples on any resource that they should not have write access to.

      For example, if a user can create an indirect container (/a):

      /a a ldp:IndirectContainer ;
        ldp:insertedContentRelation rdf:object ;
        ldp:membershipResource /resource/to/attack ;
        ldp:hasMemberRelation xxx:predicateToCreate .

      When posting a new resource:
      <> a rdf:Statement ;
        rdf:object /resource/to/link

      Would create the triple

      /resource/to/attack xxx:predicateToCreate /resource/to/link

      Expected Behavior:

      The creation of the resource in the indirect container should fail with a permissions / auth related error.

        Attachments

        1. auth.ttl
          0.2 kB
          Jared Whiklo
        2. indirect_expand.ttl
          0.4 kB
          Jared Whiklo

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                azaroth42 Rob Sanderson
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: