sergehuber commented on code in PR #760:
URL: https://github.com/apache/unomi/pull/760#discussion_r3362923634
##########
graphql/cxs-impl/src/main/java/org/apache/unomi/graphql/servlet/auth/GraphQLServletSecurityValidator.java:
##########
@@ -133,14 +180,31 @@ private boolean isAuthenticatedUser(HttpServletRequest
req) {
}
});
loginContext.login();
- Subject subject = loginContext.getSubject();
- boolean success = subject != null;
+ Subject loginSubject = loginContext.getSubject();
+ boolean success = loginSubject != null;
if (success) {
req.setAttribute(REMOTE_USER, username);
+ // Set the security context for JAAS authentication
+ securityService.setCurrentSubject(loginSubject);
+
+ // Check for tenant ID header
+ String tenantId = req.getHeader(UNOMI_TENANT_ID_HEADER);
+ if (tenantId != null && !tenantId.trim().isEmpty()) {
+ // Validate tenant exists
+ Tenant tenant = tenantService.getTenant(tenantId);
+ if (tenant != null) {
+
executionContextManager.setCurrentContext(executionContextManager.createContext(tenantId));
+ } else {
+ LOG.warn("Invalid tenant ID provided in header: {}",
tenantId);
+
executionContextManager.setCurrentContext(ExecutionContext.systemContext());
Review Comment:
Fixed! Rather than falling back to systemContext() when an unknown tenant ID
is supplied in the header, we now leave the JAAS-derived context untouched.
This closes the privilege escalation path where an attacker could supply a
random header value to gain system access.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
