Security: In-Service privilege escalation via bless + new allows unauthorized gratis storage grants? #512
Description
Good evening @gavofyork, I am probably missing something, maybe you can help me. Reading the GP on the bless function I noticed what looks like a privilege escalation path for gratis storage.
The bless host call has no authorization check by design, any service can set its working state manager. The new host call gratis check validates against working state manager, not the original state.
This seems to allow following:
- Service A calls bless(manager=A) - no auth check, anybody can call bless
- A's working state has now manager = A
- Service A calls new(..., gratis=999999) - check passes because A == working manager
- Finalization merges all new accounts without privilege filtering
Unlike authqueue/stagingset that filter by original privileged services at end of batch, new accounts from all services are unioned into accounts' without validating if the creator was actually privileged for granting gratis. At least I could not find it.
Should the gratis check in new not reference original partial state manager instead of working state? Or am I overlooking something that prevents this?