Summary
A user in one workspace could exercise another workspace's integration through the
testConnection endpoint by supplying its ID, because the integration was fetched in
a bypass scope and the caller's permission check matched any base in any workspace.
Details
The connection-test endpoint fetched the integration in RootScopes.BYPASS scope and
checked only that the integration was non-private and that the caller held an
owner/creator role on any base in any workspace. The permission lookup is now scoped
to the integration's workspace by joining on fk_workspace_id, and the controller
rejects requests where the integration's workspace differs from the request's workspace.
Impact
Cross-tenant access to integration configuration through the connection-test endpoint,
including the ability to drive the resolved database with the other workspace's
credentials. Authentication with creator-or-owner role on any base in any workspace
was sufficient.
Credit
This issue was reported by @DongyangLyu.
Summary
A user in one workspace could exercise another workspace's integration through the
testConnectionendpoint by supplying its ID, because the integration was fetched ina bypass scope and the caller's permission check matched any base in any workspace.
Details
The connection-test endpoint fetched the integration in
RootScopes.BYPASSscope andchecked only that the integration was non-private and that the caller held an
owner/creator role on any base in any workspace. The permission lookup is now scoped
to the integration's workspace by joining on
fk_workspace_id, and the controllerrejects requests where the integration's workspace differs from the request's workspace.
Impact
Cross-tenant access to integration configuration through the connection-test endpoint,
including the ability to drive the resolved database with the other workspace's
credentials. Authentication with creator-or-owner role on any base in any workspace
was sufficient.
Credit
This issue was reported by @DongyangLyu.