Security: Returning Core.Permission'None' could be information leakage

XMLWordPrintable

    • Type: Task
    • Resolution: Unresolved
    • Priority: Major
    • CN01
    • Affects Version/s: V4.0_WD01
    • Component/s: Securing OData
    • None
    • Environment:

      [Proposed]

    • Hide

      Describe the threat for the scenario where the existence of a particular dynamic property on an entity is privileged information and suggest the option of failing the request rather than returning the Core.Permission'None' for such properties. In general, services should not expose a different value for a property that doesn't exist and a property that exists but for which the authenticated user does not have permissions.

      Show
      Describe the threat for the scenario where the existence of a particular dynamic property on an entity is privileged information and suggest the option of failing the request rather than returning the Core.Permission'None' for such properties. In general, services should not expose a different value for a property that doesn't exist and a property that exists but for which the authenticated user does not have permissions.

      11.2.2 specifies that if properties are not available due to permissions, the Core.Permission’None’ is returned for that property.

      For dynamic properties not advertised in metadata, there could be scenarios where even the fact that the property exists would be information leakage. For example, if the client specified the unadvertised property in $select and looked for a Core.Permission'None' annotation rather than a failed request.

            Assignee:
            Unassigned
            Reporter:
            Michael Pizzo (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: