[#1420] object/acl: Fix correlation of object session to request

In previous implementation of `neofs-node` app object session was not checked for substitution of the object related to it. Also, for access checks, the session object was substituted instead of the one from the request. This, on the one hand, made it possible to inherit the session from the parent object for authorization for certain actions. On the other hand, it covered the mentioned object substitution, which is a critical vulnerability. Next changes are applied to processing of all Object service requests: - check if object session relates to the requested object - use requested object in access checks. Disclosed problem of object context inheritance will be solved within Signed-off-by: Leonard Lyubich <ctulhurider@gmail.com>
2022-09-16 14:22:09 +04:00 · 2022-09-16 14:22:09 +04:00 · e54b52ec03
commit e54b52ec03
parent 5834f9807e
7 changed files with 159 additions and 92 deletions
--- a/cmd/neofs-cli/modules/session/util.go
+++ b/cmd/neofs-cli/modules/session/util.go
@ -63,7 +63,7 @@ func Prepare(cmd *cobra.Command, cnr cid.ID, obj *oid.ID, key *ecdsa.PrivateKey,

 		tok.BindContainer(cnr)
 		if obj != nil {
-			tok.LimitByObject(*obj)
+			tok.LimitByObjects(*obj)
 		}

 		err := tok.Sign(*key)