Comments (8)
as mentioned in #59, the authority block could be a special case for deserialization, containing configuration data that other blocks cannot hold, such as this option
from biscuit.
If the version at https://play-with-biscuit.cleverapps.io/ is up-to-date, the #authority
and #ambient
restrictions can easily be bypassed by any party able to create a new block.
This in turn allows to bypass any checks already present on the previous blocks or in the authority section. Conversely, with knowledge of the verifier code, one could craft a block that always grants passage.
from biscuit.
@svvac could you explain how it is easily bypassed? Wth the playground, you cannot create a token with authority or ambient facts in blocks other than block 0.
Sure, it is possible to manually create a token with the authority or ambient tag by tweaking the library, but verifier implementations are supposed to refuse them. There's even one of the samples that test for that: https://github.com/CleverCloud/biscuit/tree/master/samples/v1#invalid-block-fact-with-authority-tag-test7_invalid_block_fact_authoritybc
Though if you have specific concerns or vulnerabilities to demonstrate, I'm always interested, I'll make sure to fix them quickly
from biscuit.
@Geal Given the Files
example, without touching the authority and first block, adding the following block results in Success
for all values of resource(#ambient, *)
and operation(#ambient, *)
in the verifier:
// Bypass `check if operation(#ambient, #read)` from authority block
operation($ambient, #read) <- operation($ambient, $any);
// Bypass `check if resource(#ambient, $file), $file.starts_with("/folder1/")` from block #1
resource($ambient, "/folder1/") <- resource($ambient, $any);
// Add missing rights
right($authority, $file, $right) <- right($authority, $any1, $any2), resource(#ambient, $file), operation(#ambient, $right);
Also different issue (I think), but with the same effect : there seems to be a bug where leftover variables in the rule pattern matches the #authority
symbol:
// Bypass `check if operation(#ambient, #read)` from authority block
operation($unbound, #read) <- operation($any1, $any2);
// Bypass `check if resource(#ambient, $file), $file.starts_with("/folder1/")` from block #1
resource($unbound, "/folder1/") <- resource($any1, $any2);
// Add missing rights
right($unbound, $file, #read) <- resource($any1, $file);
from biscuit.
Nice catch, thanks, I'll fix that and add a new sample to verify that behaviour
from biscuit.
@svvac the bugs were identified and fixed in the Rust and Java implementation, soon in the Go one, and I have prepared test samples to test that for future implementations. The fixes should be pushed soon. I'll announce the vulnerabilities and make a changelog. Do you want to be credited in the announcement?
from biscuit.
@Geal I don't mind, thanks for asking. Glad to hear it got fixed fast.
from biscuit.
I'm waiting on a few updates before publishing about it, but Rust and Java versions are available with the fix
from biscuit.
Related Issues (20)
- DID / DPKI integration HOT 5
- Suggested clarification on "Biscuit is a bearer token" HOT 2
- fix authorizer serialization
- check all / check unless behaviour HOT 3
- Question regarding the language specification about Sets HOT 2
- separate v2 and v3 samples HOT 1
- specify operator precedence
- Date & time manipulation
- Scoped rules HOT 1
- ECDSA support HOT 3
- EBNF grammar for the text format HOT 8
- Serialized errors in samples HOT 1
- other set operations HOT 1
- Isolated block execution HOT 7
- Block scoping and third-party caveats HOT 7
- biscuitsec.org Down HOT 3
- Extending `+` and `.contains()` to strings HOT 1
- [question] What prevents a bearer from removing an offline attenuation blocks' caveat? HOT 3
- Update default symbol table as last edit to `v2` HOT 8
- breaking format changes in v2 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from biscuit.