Prevent cross-project instance membership in affinity groups#9897
Prevent cross-project instance membership in affinity groups#9897david-crespo wants to merge 1 commit intomainfrom
Conversation
|
Chatting with @smklein: it's possible we want to allow cross project anti/affinity, in which case the bug to be fixed here would be that we were not checking that the user has modify permissions on the instance being added to the group. We check read on the instance and modify on the group. Cross-project affinity gives me kind of a bad feeling around what I want to call an impedance mismatch between checking user permissions at group add time vs. checking some other relationship between projects that we aren't currently representing yet. Imagine a user has modify access to two projects. So they're able to add an instance in project B to an affinity group in project A. Then they lose their modify perms on project B, but the instance from project B is still in the anti/affinity group they control, and they can cause things to happen to the instance in project B by doing things in project A. In practice that's probably fine, but it worries me slightly. omicron/nexus/src/app/affinity.rs Lines 308 to 318 in 8618f74 omicron/nexus/src/app/affinity.rs Lines 337 to 348 in 8618f74 |
I pointed Claude at this repo and said "find a security problem" and it found this. It's not a very big security problem because the worst thing you can do is mess with affinity, and I don't think users are relying heavily on project boundaries for isolation. But it is a real issue.
Changes
nexus/src/app/affinity.rs:308andnexus/src/app/affinity.rs:344now enforce that the instance and (anti-)affinity group share the same project by comparing the project authz IDs returned by the lookups. This matches the existing “shared hierarchy” guard used byinstance_attach_diskandinstance_attach_floating_ip(nexus/src/app/instance.rs:1802,nexus/src/app/instance.rs:2442).Adds a regression test that reproduces the bypass (no project selector + UUIDs) and asserts
400 BAD_REQUESTfor both affinity and anti-affinity (nexus/tests/integration_tests/affinity.rs:959). The test fails without the fixes in place.Open questions
Modifyon the instance (vs today’sRead), since it affects scheduling?instance_attach_disk/instance_attach_floating_ipboth requireModifyon the instance (andModifyon the thing being attached).