[Bug] [Task Plugin] Dependent type task has security issue

[EricGao888]

Search before asking

• I had searched in the issues and found no similar issues.

What happened

• Dependent type task does not check user permissions. Users could use dependent task to query the project / workflow / task lists of other users'.

What you expected to happen

• Dependent type task should do permission checks.

How to reproduce

• Create user A with project A, workflow A and task A.
• Create user B.
• Use user B to login DS and create a dependent task. In add dependency section, user B could query the project / workflow / task list of user A.

Anything else

related code:

dolphinscheduler/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ProjectServiceImpl.java

Lines 802 to 815 in 5c1edd2

	/**
	* query all project for dependent node
	*
	* @return project list
	*/
	@Override
	public Result queryAllProjectListForDependent() {
	Result result = new Result<>();
	List<Project> projects =
	projectMapper.queryAllProjectForDependent();
	result.setData(projects);
	putMsg(result, Status.SUCCESS);
	return result;
	}

dolphinscheduler/dolphinscheduler-dao/src/main/resources/org/apache/dolphinscheduler/dao/mapper/ProjectMapper.xml

Lines 188 to 191 in 5c1edd2

	<select id="queryAllProjectForDependent" resultType="org.apache.dolphinscheduler.dao.entity.Project">
	select code, name
	from t_ds_project
	</select>

Version

dev

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

Thank you for your feedback, we have received your issue, Please wait patiently for a reply.

• In order for us to understand your request as soon as possible, please provide detailed information, version or pictures.
• If you haven't received a reply for a long time, you can join our slack and send your question to channel #troubleshooting

[huage1994]

I'm willing to fix this bug.

[EricGao888]

Not sure whether this is a bug or a design issue? Do you have any ideas? @SbloodyS @ruanwenjun

[EricGao888]

I'm willing to fix this bug.

Sure

[SbloodyS]

This was designed and modified by me. I believe that the dependency module only queries the workflow id and task id and
its name, and there will be no security risks. And in a production environment, it is a very common operation for users of different projects to rely on tasks from other projects. @EricGao888

[huage1994]

This was designed and modified by me. I believe that the dependency module only queries the workflow id and task id and its name, and there will be no security risks. And in a production environment, it is a very common operation for users of different projects to rely on tasks from other projects. @EricGao888

How to reproduce
Create user A with project A, workflow A and task A.
Create user B.
Use user B to login DS and create a dependent task. In add dependency section, user B could query the project / workflow / task list of user A.

Now user B is allowed to see all project. I think user B should only see the projects that they are authorized to.
An alternative scenario to the current behavior would looks like this:
First, User A authorizes project A to user B, then B can get project A in query list.

WDYT @EricGao888 @SbloodyS

[SbloodyS]

Now user B is allowed to see all project. I think user B should only see the projects that they are authorized to. An alternative scenario to the current behavior would looks like this: First, User A authorizes project A to user B, then B can get project A in query list.

User B can only get all project code and its name and can not do anything else and cannot obtain other detailed information. I don't understand the benefits of restrictions.

[zhongjiajie]

pros: dependent can dependent on some of the basic tasks that the user do can not edit or run. It is helpful when some we do not want to share our workflow to all downstream flow users.
cons: feel odd when some user can search task in dependent task but can not find in project list

[zhongjiajie]

if we finally do not change our code, please remember add some docs for it

[SbloodyS]

cons: feel odd when some user can search task in dependent task but can not find in project list

That’s a good question.