Headline
GHSA-3f6g-m4hr-59h8: OpenFGA Authorization Bypass
Overview
OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset.
For example, with a model like the following
model
schema 1.1
type user
type role
relations
define assignee: [user]
type permission
relations
define assignee: assignee from role
define role: [role]
type job
relations
define can_read: [permission#assignee]
define problem: [user] but not can_read
and these tuples:
user:1, problem, job:1
user:1, assignee, role:admin
role:admin, role, permission:readJobs
permission:readJobs#assignee, can_read, job:1
A query such as Check(object=job:1, relation=problem, user=user:1) will return allowed=true when the correct response is allowed=false.
Fix
Downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible.
We are currently working on a fix which will be included in the next release.
Overview
OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset.
For example, with a model like the following
model
schema 1.1
type user
type role
relations
define assignee: [user]
type permission
relations
define assignee: assignee from role
define role: [role]
type job
relations
define can_read: [permission#assignee]
define problem: [user] but not can_read
and these tuples:
user:1, problem, job:1
user:1, assignee, role:admin
role:admin, role, permission:readJobs
permission:readJobs#assignee, can_read, job:1
A query such as Check(object=job:1, relation=problem, user=user:1) will return allowed=true when the correct response is allowed=false.
Fix
Downgrade to v1.5.6 as soon as possible. This downgrade is backward compatible.
We are currently working on a fix which will be included in the next release.
References
- GHSA-3f6g-m4hr-59h8