Skip to content

restapi: Remove sensitive response fields for non-admin users #1020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Artemi10 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

restapi: Remove sensitive response fields for non-admin users #1020

Artemi10 wants to merge 1 commit into from

Conversation

@Artemi10
Copy link

@Artemi10 Artemi10 commented May 15, 2025

Non-admin users can access detailed information such as MTU, CPU information, library information and other internal configuration data through network, host and storage domain API.This commit adds logic to remove these fields from responses for non-admin users to prevent unintentional data exposure. Fields that are required by the VM Portal are retained to ensure existing functionality is not broken.

Changes introduced with this PR

  1. Remove all fields from Hosts API except "id", "name", "address", "cluster.id" for non-admin user

  • Before fix
    hosts_before

  • After fix
    hosts_after

  1. Remove all fields from Networks API except "id", "name", "data_center.id" for non-admin user

  • Before fix
    networks_before

  • After fix
    networks_after

  1. Remove all fields from Storage Domains API except "id", "name", "type", "permissions", "storage.type", "available", "used", "status", "data_center.id" for non-admin user

  • Before fix
    storage_domain_before

  • After fix
    storage_domain_after

Are you the owner of the code you are sending in, or do you have permission of the owner?

Yes

restapi: Remove sensitive response fields for non-admin users
9010a2d 
Non-admin users can access detailed information such as MTU, CPU information, library information and other internal configuration data through network, host and storage domain API.This commit adds logic to remove these fields from responses for non-admin users to prevent unintentional data exposure. Fields that are required by the VM Portal are retained to ensure existing functionality is not broken.

Signed-off-by: Liakh Artemii <aliakh@orionsoft.ru>
@sandrobonazzola sandrobonazzola requested a review from dupondje May 20, 2025 07:22
dupondje
dupondje requested changes May 28, 2025
View reviewed changes
Copy link
Member

@dupondje dupondje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Search for isFiltered() in the backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/*** files.
This should be implemented the same way then for additional fields you want to hide.

@Artemi10
Copy link
Author

Artemi10 commented Jun 2, 2025

Search for isFiltered() in the backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/*** files. This should be implemented the same way then for additional fields you want to hide.

@dupondje
Thanks for pointing that out!

I looked into the isFiltered() implementation in the backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/*** files, but I noticed a potential issue: it respects the filter query parameter even for non-admin users. This means a non-admin could explicitly set filter=false in the request header and potentially bypass data filtering, which might expose sensitive information.

To avoid this, implemented a separate method isAdmin(). This way, I only check user permissions and do not take any request headers into account, ensuring stricter access control.

protected boolean isAdmin() {
DbUser user = getCurrent().getUser();
return user.isAdmin();
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dupondje dupondje dupondje requested changes

Assignees

@Artemi10 Artemi10

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Artemi10 @dupondje