CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • Potential Security Issue with the REST API and non-drupal users
Pages: [1]

Author Topic: Potential Security Issue with the REST API and non-drupal users  (Read 1386 times)

colbyw

  • I’m new here
  • *
  • Posts: 13
  • Karma: 1
  • CiviCRM version: 4.2.4
  • CMS version: Drupal 7
  • MySQL version: 14.14
  • PHP version: 5.3.6
Potential Security Issue with the REST API and non-drupal users
April 23, 2013, 02:20:07 pm
While I was working on an issue (CRM-10360) at the civicon code sprint, I discovered that while contacts with an api key but without a corresponding drupal user can't bootstrap drupal, they can still use the REST api (possibly just failing to have a hook in a drupal module fire). The person using the REST api would still need the site key or a PHPSESSID, but this is still a case of permissions being ignored and seems like a potential security issue.

Any comments or opinions?

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Potential Security Issue with the REST API and non-drupal users
April 23, 2013, 02:35:57 pm
Hi,

I don't think it would make sense in any context that you can have an api_key without a CMS user, it's a bug indeed.

If we bootstrap the CMS, it should solve the issue, right?

There is a solution there, can you try applying?

http://issues.civicrm.org/jira/browse/CRM-11212
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

colbyw

  • I’m new here
  • *
  • Posts: 13
  • Karma: 1
  • CiviCRM version: 4.2.4
  • CMS version: Drupal 7
  • MySQL version: 14.14
  • PHP version: 5.3.6
Re: Potential Security Issue with the REST API and non-drupal users
April 23, 2013, 04:54:15 pm
I have submitted two PR's that deal with the rest bootstrap issue.

This first one makes api calls using entity/action bootstrap:
https://github.com/civicrm/civicrm-core/pull/519

This one returns an error when the cms user doesn't exist:
https://github.com/civicrm/civicrm-core/pull/523

So it wasn't as simple as just bootstrapping, but these two fixes get the job done.

Coleman Watts

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 2346
  • Karma: 183
  • CiviCRM version: The Bleeding Edge
  • CMS version: Various
Re: Potential Security Issue with the REST API and non-drupal users
April 23, 2013, 08:00:00 pm
Thanks for the contributions.
Try asking your question on the new CiviCRM help site.

totten

  • Administrator
  • Ask me questions
  • *****
  • Posts: 695
  • Karma: 64
Re: Potential Security Issue with the REST API and non-drupal users
April 24, 2013, 11:13:48 am
Colby and I have been talking about how to unit-test the REST interface ( http://issues.civicrm.org/jira/browse/CRM-12412 ), and we looked at CiviSeleniumTestCase::rest_civicrm_api() for an example of calling REST from PHPUnit. There's an interesting comment there:

"Experimental - currently only works if permissions on remote site allow anon user to access ajax api"

It seems there are multiple URLs for receiving REST-style calls -- civicrm/ajax/rest, civicrm/api/json, and extern/rest.php. It seems the differences are:

 * civicrm/ajax/rest - Intended for use in a web-browser where the user session/cookie are managed by the CMS without any REST or AJAX calls. There is no explicit authentication mechanism (because CMS handles that).
 * extern/rest.php - Intended for use with third-party applications. The application still needs to setup a session/cookie, but they can go through Civi (providing api_key or user/pass) rather than POST'ing to a CMS form. However, they must also provide the site's API key.

Coleman Watts

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 2346
  • Karma: 183
  • CiviCRM version: The Bleeding Edge
  • CMS version: Various
Re: Potential Security Issue with the REST API and non-drupal users
April 24, 2013, 11:44:59 am
Correct.
That was my comment you stumbled upon, part of my so-far-unsuccessful attempt to decouple the webtest environment from the site being tested.
See http://issues.civicrm.org/jira/browse/CRM-11889
Try asking your question on the new CiviCRM help site.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Potential Security Issue with the REST API and non-drupal users
April 24, 2013, 12:35:43 pm
As for civicrm/api/json, I think it's a nicer and more meaningful url than civicrm/ajax/rest (that isn't rest and expects a session cookie and doesn't "explain" it's the api).

We've been able to migrate the url for civicrm/api/explorer and civicrm/api/doc but not yet to civicrm/api/json.

Don't tell anyone, it's the master plan. If the ghost in the machine is with us, we'll succeed.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • Potential Security Issue with the REST API and non-drupal users

This forum was archived on 2017-11-26.