Comments (7)
JoshTheDerf
commented on July 18, 2024
1
For reference, here's a custom permissions handler I wrote for this:
const ConfigPermissionHandler = require('deepstream.io/src/permission/config-permission-handler')
...
// Wrapper around ConfigPermissionHandler to handle verifying searches ourselves.
class CustomPermissionsHandler extends ConfigPermissionHandler {
constructor () {
// Deepstream already needs to be initialized, and the permissions configuration needs to be passed or in the options object.
super(deepstream._options, require('./deepstream-config/permissions.json'))
}
// This is the important part.
canPerformAction (username, message, callback, authData) {
// Special logic if this is a search query.
if (message.data && message.data[0] && message.data[0].indexOf('search?') !== -1) {
try {
// Parse the query payload.
const searchPayload = JSON.parse(message.data[0].split('?')[1])
// Create a new message replacing the search query with the target table name.
const tableMessage = Object.assign({}, message)
tableMessage.data = [searchPayload.table, searchPayload]
Promise.all([
// Run permissions checker twice, first for the search query message, then for the table access message.
new Promise((resolve, reject) => {
super.canPerformAction(username, message, (...args) => {
resolve(args)
}, authData)
}),
new Promise((resolve, reject) => {
super.canPerformAction(username, tableMessage, (...args) => {
resolve(args)
}, authData)
})
])
.then(results => {
// If any of those results are false, deny the request.
const finalAllowDeny = results.reduce((acc, result) => acc && result[1], true)
// results[0] is the most "accurate" permission check, so use any metadata for that that comes through.
callback(results[0][0], finalAllowDeny)
})
} catch (e) {
// Handle permission errors here. Passing false denies the request attempt.
callback('Permissions Validation Error.', false)
}
// Otherwise pass it on to the normal handler.
} else {
super.canPerformAction(username, message, (...args) => {
callback(...args)
}, authData)
}
}
}
...
deepstream.set('permissionHandler', new CustomPermissionsHandler())It basically sends two checks for search queries. One passes the full search query as expected, the other only passes the table name, allowing you to allow/deny with normal valve table rules.
Seems to work okay, but I'm not sure I understand ConfigPermissionsHandler well enough to guarantee that it works 100% of the time.
from deepstream.io-provider-search-rethinkdb.
abhinavzspace
commented on July 18, 2024
Will the current alternative be to use RPC calls and implement queries on the backend (if you want security)? And then RPC calls can be protected by Valve?
(I am evaluating Deepstream for a realtime project.)
from deepstream.io-provider-search-rethinkdb.
layanto
commented on July 18, 2024
Is it possible to extract the table being queried in Valve to then check via cross reference whether a user should have access to it?
Something like
record:
"search?$queryString":
create: "_('permissions/' + user.data.userId).allowedSearches.indexOf($queryString.table) > -1"
Just not sure how to extract the table name from $queryString
from deepstream.io-provider-search-rethinkdb.
layanto
commented on July 18, 2024
Maybe this will work:
record:
"search?$queryString":
create: '_("permissions/" + user.data.userId).allowedSearches.indexOf($queryString.match(/{"table":"(.*?)",/)[1]) > -1'
from deepstream.io-provider-search-rethinkdb.
n-scope
commented on July 18, 2024
Pretty bad news indeed...
Is it possible to mitigate the issue using a restricted rethinkdb user for the search provider (in rethinkdbConnectionParams) ?
This user would be granted only "public" tables ?
from deepstream.io-provider-search-rethinkdb.
ahmadsholehin
commented on July 18, 2024
Has the code by @JoshTheDerf been incorporated into the community version of Deepstream? I'm afraid without permissions enforcement, this security loophole is going to be very bad for Deepstream.
from deepstream.io-provider-search-rethinkdb.
yasserf
commented on July 18, 2024
It hasn’t no, and I highly doubt it will be since it isn’t a core part of
deepstream but is rather something specific to the real-time search
provider for rethinkdb. It’s a very valid point though and documentation
needs to address this. There are actually multiple issues with the
provider, mainly that the query strings easily exceed the rethinkdb name
size. So what people do instead is make an RPC which is permissioned, that
in turn returns a hash which is used on a custom fork of the rethindb
search provider to get the search parameters out. This allows you to
overcome both permissions and size issues.
I agree this needs to be documented further. I could try implement a
skeleton for this minus the fact you need to figure out where to store the
hash to string mapping since it doesn’t scale in memory.
…On Thu, 2 May 2019 at 08:57, Ahmad Sholehin ***@***.***> wrote:
Has the code by @JoshTheDerf <https://github.com/JoshTheDerf> been
incorporated into the community version of Deepstream? I'm afraid without
permissions enforcement, this security loophole is going to be very bad for
Deepstream.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#43 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAU3WS4BFYO6J2V7A3VZCQTPTKNHJANCNFSM4CRWB76A>
.
from deepstream.io-provider-search-rethinkdb.
Related Issues (20)
- Cannot get all records on a table with an empty query HOT 1
- Own record subscription results in non-robust programming style suggestion HOT 4
- Query should support `in` operator
- search should support `Date`s in rethink HOT 1
- Query should support `ge` and `le`
- Resolve search results race condition
- primaryKey should be configurable HOT 1
- Query on path properties HOT 5
- Why do you need create record valve permission to getList('search?' + queryString)? HOT 1
- How to specify sort order (orderBy) in queryString? HOT 1
- Crashing - probably on too-fast unsubscribe based on the trace HOT 2
- Consider rewritten version HOT 2
- Multiple subscription error HOT 1
- Add «OR» operator
- Cannot read property 'name' of null HOT 1
- how can I use this plugin with deepstreamhub community version HOT 1
- Bug: Complex search queries cause primary key to be too long HOT 1
- Query should support `contains` operator HOT 1
- How should I distinguish when a generared list has recieved an initial value from the server? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deepstream.io-provider-search-rethinkdb.