Headline
CVE-2022-21646: unexpected expand/lookup behaviour with wildcard permissions · Issue #358 · authzed/spicedb
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion
or within an intersection
operation will see Lookup
/LookupResources
return a resource as “accessible” if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In v1.3.0
, the wildcard is ignored entirely in lookup’s dispatch, resulting in the banned
wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don’t make use of wildcards on the right side of intersections or within exclusions.
Reproduction: https://play.authzed.com/s/Ay9ZZJBrGDKu (check validation tab)
As I run some experiments with the new wildcard permissions feature, I stumbled upon an apparently unexpected behaviour when doing lookup/expand. Permissions that effectively end up in user* & userset behave correctly with Check API, but not with Lookup/Expand API (which is presumably what’s used in the validation tab in the playground).
In the original issue, we discussed that SpiceDB will have special treatment to user:* relationship when performing Lookup/Expand API, which is reasonable because it would lead to “listing all public resources” phenomenon. However, when user:* is chained with other algebraic operators like & and -, I think the current implementation semantics seem unexpected. The desirable outcome would be:
<user:userset> - <user:> = empty
<user:userset> & <user:> = <user:userset>