dont leak info in UpdateSpace (#3449)

Signed-off-by: jkoberg <jkoberg@owncloud.com> Signed-off-by: jkoberg <jkoberg@owncloud.com>
cs3org · Nov 11, 2022 · c554766 · c554766
1 parent 413c0a3
commit c554766
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 2 deletions.
diff --git a/changelog/unreleased/dont-leak-spaces.md b/changelog/unreleased/dont-leak-spaces.md
@@ -0,0 +1,7 @@
+Bugfix: Don't leak space information on update drive
+
+There were some problems with the `UpdateDrive` func in decomposedfs when it is called without permission
+-   When calling with empty request it would leak the complete drive info
+-   When calling with non-empty request it would leak the drive name
+
+https://github.com/cs3org/reva/pull/3447
diff --git a/pkg/storage/utils/decomposedfs/spaces.go b/pkg/storage/utils/decomposedfs/spaces.go
@@ -527,6 +527,13 @@ func (fs *Decomposedfs) UpdateStorageSpace(ctx context.Context, req *provider.Up
 		return nil, err
 	}
 
+	// check if user has access to the drive before continuing
+	if err := fs.checkViewerPermission(ctx, node); err != nil {
+		return &provider.UpdateStorageSpaceResponse{
+			Status: &v1beta11.Status{Code: v1beta11.Code_CODE_NOT_FOUND, Message: err.Error()},
+		}, nil
+	}
+
 	metadata := make(map[string]string, 5)
 	if space.Name != "" {
 		metadata[xattrs.NameAttr] = space.Name
@@ -958,7 +965,20 @@ func (fs *Decomposedfs) checkEditorPermission(ctx context.Context, n *node.Node)
 			msg := fmt.Sprintf("not enough permissions to change attributes on %s", filepath.Join(n.ParentID, n.Name))
 			return errtypes.PermissionDenied(msg)
 		}
-		return errtypes.NotFound(filepath.Join(n.ParentID, n.Name))
+		return errtypes.NotFound(n.ID)
+	}
+	return nil
+}
+
+func (fs *Decomposedfs) checkViewerPermission(ctx context.Context, n *node.Node) error {
+	// to update the space name or short description we need the manager role
+	// current workaround: check if RemoveGrant Permission exists
+	rp, err := fs.p.AssemblePermissions(ctx, n)
+	switch {
+	case err != nil:
+		return errtypes.InternalError(err.Error())
+	case !rp.Stat:
+		return errtypes.NotFound(n.ID)
 	}
 	return nil
 }

diff --git a/pkg/storage/utils/decomposedfs/spaces_test.go b/pkg/storage/utils/decomposedfs/spaces_test.go
@@ -373,7 +373,7 @@ var _ = Describe("Spaces", func() {
 					},
 				)
 				Expect(err).ToNot(HaveOccurred())
-				Expect(updateResp.Status.Code, rpcv1beta1.Code_CODE_PERMISSION_DENIED)
+				Expect(updateResp.Status.Code).To(Equal(rpcv1beta1.Code_CODE_NOT_FOUND))
 			})
 		})
 	})