[PPP-5053] - Intercepting few Get request with Burp Suite allows un-a…

…thorised user to access data (#5559) * [PPP-5053] - Intercepting few Get request with Burp Suite allows un-authorised user to access data
pentaho · Mar 19, 2024 · b27effe · b27effe
1 parent 5c8f90c
commit b27effe
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 2 deletions.
diff --git a/core/src/main/java/org/pentaho/platform/engine/services/solution/SimpleContentGenerator.java b/core/src/main/java/org/pentaho/platform/engine/services/solution/SimpleContentGenerator.java
@@ -20,7 +20,10 @@
 
 package org.pentaho.platform.engine.services.solution;
 
+import org.pentaho.commons.util.repository.exception.PermissionDeniedException;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.repository.IContentItem;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.engine.services.messages.Messages;
 import org.pentaho.platform.util.UUIDUtil;
 
@@ -30,9 +33,15 @@
 public abstract class SimpleContentGenerator extends BaseContentGenerator {
 
   private static final long serialVersionUID = -8882315618256741737L;
+  private static final String REPOSITORY_CREATE_ACTION = "org.pentaho.repository.create";
 
   @Override
   public void createContent() throws Exception {
+
+    if ( !PentahoSystem.get( IAuthorizationPolicy.class ).isAllowed( REPOSITORY_CREATE_ACTION ) ) {
+      throw new PermissionDeniedException();
+    }
+
     OutputStream out = null;
     if ( outputHandler == null ) {
       error( Messages.getInstance().getErrorString( "SimpleContentGenerator.ERROR_0001_NO_OUTPUT_HANDLER" ) ); //$NON-NLS-1$

diff --git a/...s/src/main/java/org/pentaho/platform/web/http/api/resources/GeneratorStreamingOutput.java b/...s/src/main/java/org/pentaho/platform/web/http/api/resources/GeneratorStreamingOutput.java
@@ -22,6 +22,8 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.pentaho.commons.util.repository.exception.PermissionDeniedException;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.engine.IContentGenerator;
 import org.pentaho.platform.api.engine.IOutputHandler;
 import org.pentaho.platform.api.engine.IParameterProvider;
@@ -86,6 +88,8 @@ public class GeneratorStreamingOutput {
 
   private static final boolean MIMETYPE_MUTABLE = true;
 
+  private static final String REPOSITORY_CREATE_ACTION = "org.pentaho.repository.create";
+
   /**
    * Invokes a content generator to produce some content either in the context of a repository file, or in the form of a
    * direct service call (no repository file in view).
@@ -176,6 +180,11 @@ public void write( OutputStream output, MimeTypeCallback callback ) throws IOExc
   }
 
   protected void generateContent( OutputStream outputStream, final MimeTypeCallback callback ) throws Exception {
+
+    if ( !PentahoSystem.get( IAuthorizationPolicy.class ).isAllowed( REPOSITORY_CREATE_ACTION ) ) {
+      throw new PermissionDeniedException();
+    }
+
     try {
       httpServletResponse.setCharacterEncoding( LocaleHelper.getSystemEncoding() );
     } catch ( Throwable t ) {

diff --git a/...ava/org/pentaho/platform/plugin/services/webservices/content/AxisServiceExecutorTest.java b/...ava/org/pentaho/platform/plugin/services/webservices/content/AxisServiceExecutorTest.java
@@ -24,6 +24,11 @@
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.when;
 
 import java.io.ByteArrayOutputStream;
 import java.util.ArrayList;
@@ -34,12 +39,14 @@
 import org.apache.axis2.description.TransportInDescription;
 import org.apache.axis2.description.TransportOutDescription;
 import org.apache.axis2.engine.AxisConfiguration;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.*;
+import org.mockito.MockedStatic;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.engine.IOutputHandler;
 import org.pentaho.platform.api.engine.IParameterProvider;
 import org.pentaho.platform.engine.core.output.SimpleOutputHandler;
 import org.pentaho.platform.engine.core.solution.SimpleParameterProvider;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.engine.core.system.StandaloneSession;
 import org.pentaho.platform.plugin.services.pluginmgr.servicemgr.AxisWebServiceManager;
 import org.pentaho.platform.util.web.SimpleUrlFactory;
@@ -60,6 +67,8 @@ public class AxisServiceExecutorTest {
 
   private ByteArrayOutputStream out;
   private AxisServiceExecutor contentGenerator;
+  private static MockedStatic<PentahoSystem> pentahoSystem;
+
 
   @Before
   public void setUp() throws Exception {
@@ -99,6 +108,16 @@ public void setUp() throws Exception {
 
     assertNotNull( "contentGenerator is null", contentGenerator );
     assertNotNull( "Logger is null", contentGenerator.getLogger() );
+
+    pentahoSystem = mockStatic( PentahoSystem.class );
+    IAuthorizationPolicy policy = mock( IAuthorizationPolicy.class );
+    pentahoSystem.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+    when( policy.isAllowed( anyString() ) ).thenReturn( true );
+  }
+
+  @After
+  public void cleanUp() {
+    pentahoSystem.close();
   }
 
   @Test

diff --git a/...a/org/pentaho/test/platform/plugin/services/webservices/AxisServiceWsdlGeneratorTest.java b/...a/org/pentaho/test/platform/plugin/services/webservices/AxisServiceWsdlGeneratorTest.java
@@ -21,10 +21,13 @@
 package org.pentaho.test.platform.plugin.services.webservices;
 
 import org.junit.Test;
+import org.mockito.MockedStatic;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.engine.IOutputHandler;
 import org.pentaho.platform.api.engine.IParameterProvider;
 import org.pentaho.platform.engine.core.output.SimpleOutputHandler;
 import org.pentaho.platform.engine.core.solution.SimpleParameterProvider;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.engine.core.system.StandaloneSession;
 import org.pentaho.platform.plugin.services.pluginmgr.servicemgr.AxisWebServiceManager;
 import org.pentaho.platform.plugin.services.webservices.content.AxisServiceWsdlGenerator;
@@ -38,6 +41,11 @@
 import java.util.Map;
 
 import static org.junit.Assert.*;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.when;
 
 public class AxisServiceWsdlGeneratorTest {
 
@@ -50,6 +58,12 @@ public void testBadInit2() throws Exception {
 
   @Test
   public void testBadInit3() throws Exception {
+
+    MockedStatic<PentahoSystem>  pentahoSystem = mockStatic( PentahoSystem.class );
+    IAuthorizationPolicy policy = mock( IAuthorizationPolicy.class );
+    pentahoSystem.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+    when( policy.isAllowed( anyString() ) ).thenReturn( true );
+
     StandaloneSession session = new StandaloneSession( "test" ); //$NON-NLS-1$
 
     AxisServiceWsdlGenerator contentGenerator = new AxisServiceWsdlGenerator();

diff --git a/...ons/src/test/java/org/pentaho/test/platform/plugin/services/webservices/WsdlPageTest.java b/...ons/src/test/java/org/pentaho/test/platform/plugin/services/webservices/WsdlPageTest.java
@@ -25,10 +25,13 @@
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.MockedStatic;
+import org.pentaho.platform.api.engine.IAuthorizationPolicy;
 import org.pentaho.platform.api.engine.IOutputHandler;
 import org.pentaho.platform.api.engine.IParameterProvider;
 import org.pentaho.platform.engine.core.output.SimpleOutputHandler;
 import org.pentaho.platform.engine.core.solution.SimpleParameterProvider;
+import org.pentaho.platform.engine.core.system.PentahoSystem;
 import org.pentaho.platform.engine.core.system.StandaloneSession;
 import org.pentaho.platform.plugin.services.pluginmgr.servicemgr.AxisWebServiceManager;
 import org.pentaho.platform.plugin.services.webservices.content.AxisServiceWsdlGenerator;
@@ -43,6 +46,11 @@
 
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.when;
 
 public class WsdlPageTest {
 
@@ -53,6 +61,7 @@ public class WsdlPageTest {
 
   private ByteArrayOutputStream out;
   private AxisServiceWsdlGenerator contentGenerator;
+  private static MockedStatic<PentahoSystem> pentahoSystem;
 
   @Before
   public void setUp() {
@@ -77,12 +86,19 @@ public void setUp() {
     contentGenerator.setMessagesList( new ArrayList<String>() );
     contentGenerator.setSession( session );
     contentGenerator.setUrlFactory( new SimpleUrlFactory( BASE_URL + "?" ) );
+
+    pentahoSystem = mockStatic( PentahoSystem.class );
+    IAuthorizationPolicy policy = mock( IAuthorizationPolicy.class );
+    pentahoSystem.when( () -> PentahoSystem.get( eq( IAuthorizationPolicy.class ) ) ).thenReturn( policy );
+    when( policy.isAllowed( anyString() ) ).thenReturn( true );
   }
 
   @After
   public void tearDown() {
     AxisWebServiceManager.currentAxisConfiguration = beforeTestCfg;
     AxisWebServiceManager.currentAxisConfigContext = beforeTestCtx;
+
+    pentahoSystem.close();
   }