[jira] [Issue Comment Deleted] (SSHD-731) Vulnerability in SimpleAccessControlSftpEventListener implementation
[ https://issues.apache.org/jira/browse/SSHD-731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Boris Fridland updated SSHD-731: Comment: was deleted (was: Thanks for fast response. I am trying to use the workaround you suggested, however in Mina 1.3.0, which is the latest version in Maven repository (https://mvnrepository.com/artifact/org.apache.sshd/sshd-core) there is no withFileSystemAccessor method in SftpSubsystemFactory.Builder(). How do you suggest to solve this issue? Thanks.) > Vulnerability in SimpleAccessControlSftpEventListener implementation > - > > Key: SSHD-731 > URL: https://issues.apache.org/jira/browse/SSHD-731 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Boris Fridland >Assignee: Goldstein Lyor >Priority: Minor > Fix For: 1.5.0 > > > After implementing sftp access control by overriding > SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory: > Scenario: > 1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return > false > 2. Establish connection with WinScp > 3. try to create new file > expected result: access denied message + no influence on file system > actual: access denied message, + empty file is written to server disc. > in addition if existing file is opened, and being saved --> result is that > file content of is removed. > Attached configuration code: > {code:java} > SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder(); > builder.addSftpEventListener(new > SimpleAccessControlSftpEventListener() { > protected boolean isAccessAllowed(ServerSession session, String > remoteHandle, Path localPath) > throws IOException { > EUserAccessLevel level = > authorizationManager.getAccessLevel(session.getUsername()); > return level.hasReadAccess(); > } > protected boolean isModificationAllowed(ServerSession session, > String remoteHandle, Path localPath) > throws IOException { > EUserAccessLevel level = > authorizationManager.getAccessLevel(session.getUsername()); >return level.hasWriteAccess(); > } > }); > > sshd.setSubsystemFactories(Collections.singletonList(builder.build())); > sshd.setCommandFactory(new ScpCommandFactory()); > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (SSHD-731) Vulnerability in SimpleAccessControlSftpEventListener implementation
[ https://issues.apache.org/jira/browse/SSHD-731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15896117#comment-15896117 ] Boris Fridland commented on SSHD-731: - Thanks for fast response. I am trying to use the workaround you suggested, however in Mina 1.3.0, which is the latest version in Maven repository (https://mvnrepository.com/artifact/org.apache.sshd/sshd-core) there is no withFileSystemAccessor method in SftpSubsystemFactory.Builder(). How do you suggest to solve this issue? Thanks. > Vulnerability in SimpleAccessControlSftpEventListener implementation > - > > Key: SSHD-731 > URL: https://issues.apache.org/jira/browse/SSHD-731 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Boris Fridland >Assignee: Goldstein Lyor >Priority: Minor > Fix For: 1.5.0 > > > After implementing sftp access control by overriding > SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory: > Scenario: > 1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return > false > 2. Establish connection with WinScp > 3. try to create new file > expected result: access denied message + no influence on file system > actual: access denied message, + empty file is written to server disc. > in addition if existing file is opened, and being saved --> result is that > file content of is removed. > Attached configuration code: > {code:java} > SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder(); > builder.addSftpEventListener(new > SimpleAccessControlSftpEventListener() { > protected boolean isAccessAllowed(ServerSession session, String > remoteHandle, Path localPath) > throws IOException { > EUserAccessLevel level = > authorizationManager.getAccessLevel(session.getUsername()); > return level.hasReadAccess(); > } > protected boolean isModificationAllowed(ServerSession session, > String remoteHandle, Path localPath) > throws IOException { > EUserAccessLevel level = > authorizationManager.getAccessLevel(session.getUsername()); >return level.hasWriteAccess(); > } > }); > > sshd.setSubsystemFactories(Collections.singletonList(builder.build())); > sshd.setCommandFactory(new ScpCommandFactory()); > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (SSHD-731) Vanorability in SimpleAccessControlSftpEventListener implementation
[ https://issues.apache.org/jira/browse/SSHD-731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Boris Fridland updated SSHD-731: Description: After implementing sftp access control by overriding SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory: Scenario: 1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return false 2. Establish connection with WinScp 3. try to create new file expected result: access denied message + no influence on file system actual: access denied message, + empty file is written to server disc. in addition if existing file is opened, and being saved --> result is that file content of is removed. Attached configuration code: SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder(); builder.addSftpEventListener(new SimpleAccessControlSftpEventListener() { protected boolean isAccessAllowed(ServerSession session, String remoteHandle, Path localPath) throws IOException { EUserAccessLevel level = authorizationManager.getAccessLevel(session.getUsername()); return level.hasReadAccess(); } protected boolean isModificationAllowed(ServerSession session, String remoteHandle, Path localPath) throws IOException { EUserAccessLevel level = authorizationManager.getAccessLevel(session.getUsername()); return level.hasWriteAccess(); } }); sshd.setSubsystemFactories(Collections.singletonList(builder.build())); sshd.setCommandFactory(new ScpCommandFactory()); Maven dependency org.apache.sshd sshd-core 1.3.0 org.apache.sshd sshd-contrib 1.3.0 was: After implementing sftp access control by overriding SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory: Scenario: 1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return false 2. Establish connection with WinScp 3. try to create new file expected result: access denied message + no influence on file system actual: access denied message, + empty file is written to server disc. in addition if existing file is opened, and being saved --> result is that file content of is removed. Attached configuration code: SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder(); builder.addSftpEventListener(new SimpleAccessControlSftpEventListener() { protected boolean isAccessAllowed(ServerSession session, String remoteHandle, Path localPath) throws IOException { EUserAccessLevel level = authorizationManager.getAccessLevel(session.getUsername()); return level.hasReadAccess(); } protected boolean isModificationAllowed(ServerSession session, String remoteHandle, Path localPath) throws IOException { EUserAccessLevel level = authorizationManager.getAccessLevel(session.getUsername()); return level.hasWriteAccess(); } }); sshd.setSubsystemFactories(Collections.singletonList(builder.build())); sshd.setCommandFactory(new ScpCommandFactory()); following > Vanorability in SimpleAccessControlSftpEventListener implementation > > > Key: SSHD-731 > URL: https://issues.apache.org/jira/browse/SSHD-731 > Project: MINA SSHD > Issue Type: Bug > Environment: > org.apache.sshd > sshd-core > 1.3.0 > > > org.apache.sshd > sshd-contrib > 1.3.0 > >Reporter: Boris Fridland > > After implementing sftp access control by overriding > SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory: > Scenario: > 1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return > false > 2. Establish connection with WinScp > 3. try to create new file > expected result: access denied message + no influence on file system > actual: access denied message, + empty file is written to server disc. > in addition if existing file is opened, and being saved --> result is that > file content of is removed. > Attached configuration code: > SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder(); > builder.addSftpEventListener(new > SimpleAccessControlSftpEventListener() { > protected boolean isAccessAllowed(ServerSession session, String > remoteHandle, Path localPath) > throws IOException { > EUserAccessLevel level = >
[jira] [Created] (SSHD-731) Vanorability in SimpleAccessControlSftpEventListener implementation
Boris Fridland created SSHD-731: --- Summary: Vanorability in SimpleAccessControlSftpEventListener implementation Key: SSHD-731 URL: https://issues.apache.org/jira/browse/SSHD-731 Project: MINA SSHD Issue Type: Bug Environment: org.apache.sshd sshd-core 1.3.0 org.apache.sshd sshd-contrib 1.3.0 Reporter: Boris Fridland After implementing sftp access control by overriding SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory: even when isModificationAllowed function returns fals Scenario: 1.set isModificationAllowed to return false 2. Establish connection with WinScp 3. try to create new file expected result: access denied message + no influence on file system actual: access denied message, + empty file is written to server disc. in addition if existing file is opened, and being saved --> result is that file content is removed. It is huge variability Attached configuration code: SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder(); builder.addSftpEventListener(new SimpleAccessControlSftpEventListener() { protected boolean isAccessAllowed(ServerSession session, String remoteHandle, Path localPath) throws IOException { EUserAccessLevel level = authorizationManager.getAccessLevel(session.getUsername()); if(level.hasReadAccess()) { return true; } return false; } protected boolean isModificationAllowed(ServerSession session, String remoteHandle, Path localPath) throws IOException { EUserAccessLevel level = authorizationManager.getAccessLevel(session.getUsername()); if(level.hasWriteAccess()) { return true; } return false; } }); sshd.setSubsystemFactories(Collections.singletonList(builder.build())); sshd.setCommandFactory(new ScpCommandFactory()); following -- This message was sent by Atlassian JIRA (v6.3.15#6346)