diff --git a/changelog/unreleased/dont-leak-spaces.md b/changelog/unreleased/dont-leak-spaces.md new file mode 100644 index 0000000000..84428aca5e --- /dev/null +++ b/changelog/unreleased/dont-leak-spaces.md @@ -0,0 +1,7 @@ +Bugfix: Don't leak space information on update drive + +There were some problems with the `UpdateDrive` func in decomposedfs when it is called without permission +- When calling with empty request it would leak the complete drive info +- When calling with non-empty request it would leak the drive name + +https://github.com/cs3org/reva/pull/3447 diff --git a/pkg/storage/utils/decomposedfs/spaces.go b/pkg/storage/utils/decomposedfs/spaces.go index efc04a389f..fa2a7e7dd2 100644 --- a/pkg/storage/utils/decomposedfs/spaces.go +++ b/pkg/storage/utils/decomposedfs/spaces.go @@ -527,6 +527,13 @@ func (fs *Decomposedfs) UpdateStorageSpace(ctx context.Context, req *provider.Up return nil, err } + // check if user has access to the drive before continuing + if err := fs.checkViewerPermission(ctx, node); err != nil { + return &provider.UpdateStorageSpaceResponse{ + Status: &v1beta11.Status{Code: v1beta11.Code_CODE_NOT_FOUND, Message: err.Error()}, + }, nil + } + metadata := make(map[string]string, 5) if space.Name != "" { metadata[xattrs.NameAttr] = space.Name @@ -958,7 +965,20 @@ func (fs *Decomposedfs) checkEditorPermission(ctx context.Context, n *node.Node) msg := fmt.Sprintf("not enough permissions to change attributes on %s", filepath.Join(n.ParentID, n.Name)) return errtypes.PermissionDenied(msg) } - return errtypes.NotFound(filepath.Join(n.ParentID, n.Name)) + return errtypes.NotFound(n.ID) + } + return nil +} + +func (fs *Decomposedfs) checkViewerPermission(ctx context.Context, n *node.Node) error { + // to update the space name or short description we need the manager role + // current workaround: check if RemoveGrant Permission exists + rp, err := fs.p.AssemblePermissions(ctx, n) + switch { + case err != nil: + return errtypes.InternalError(err.Error()) + case !rp.Stat: + return errtypes.NotFound(n.ID) } return nil } diff --git a/pkg/storage/utils/decomposedfs/spaces_test.go b/pkg/storage/utils/decomposedfs/spaces_test.go index 07128119ea..b854640a42 100644 --- a/pkg/storage/utils/decomposedfs/spaces_test.go +++ b/pkg/storage/utils/decomposedfs/spaces_test.go @@ -373,7 +373,7 @@ var _ = Describe("Spaces", func() { }, ) Expect(err).ToNot(HaveOccurred()) - Expect(updateResp.Status.Code, rpcv1beta1.Code_CODE_PERMISSION_DENIED) + Expect(updateResp.Status.Code).To(Equal(rpcv1beta1.Code_CODE_NOT_FOUND)) }) }) })