[ODATA-629] Security: Returning Core.Permission'None' could be information leakage - OASIS Technical Committees Issue Tracker

XML

Word

Printable

Details

Type: Task
Status: New
Priority: Major
Resolution: Unresolved
Affects Version/s: V4.0_WD01
Fix Version/s: CN01
Component/s: Securing OData
Labels:
None
Environment:

[Proposed]

Proposal:

Hide

Describe the threat for the scenario where the existence of a particular dynamic property on an entity is privileged information and suggest the option of failing the request rather than returning the Core.Permission'None' for such properties. In general, services should not expose a different value for a property that doesn't exist and a property that exists but for which the authenticated user does not have permissions.

Show
Describe the threat for the scenario where the existence of a particular dynamic property on an entity is privileged information and suggest the option of failing the request rather than returning the Core.Permission'None' for such properties. In general, services should not expose a different value for a property that doesn't exist and a property that exists but for which the authenticated user does not have permissions.

Description

11.2.2 specifies that if properties are not available due to permissions, the Core.Permission’None’ is returned for that property.

For dynamic properties not advertised in metadata, there could be scenarios where even the fact that the property exists would be information leakage. For example, if the client specified the unadvertised property in $select and looked for a Core.Permission'None' annotation rather than a failed request.

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Michael Pizzo

Watchers:

3 Start watching this issue

Dates

Created:

26/Mar/14 6:17 AM

Updated:

22/Mar/24 10:12 PM