Skip to content

fix(authz): anchor tenant-scope auth exemption to exact paths#74

Merged
rrrodzilla merged 1 commit into
mainfrom
fix/tenant-scope-auth-exempt-anchor
May 28, 2026
Merged

fix(authz): anchor tenant-scope auth exemption to exact paths#74
rrrodzilla merged 1 commit into
mainfrom
fix/tenant-scope-auth-exempt-anchor

Conversation

@rrrodzilla
Copy link
Copy Markdown
Contributor

@rrrodzilla rrrodzilla commented May 28, 2026

Summary

Closes an authorization-bypass class in the tenant_scope middleware introduced alongside #70 (GET /auth/me, merged in #72).

The middleware exempted identity endpoints from tenant scoping with an unanchored substring test:

if request.uri().path().contains("/forge/auth/") { return next.run(...).await; }

Any request path that merely contains /forge/auth/ would skip tenant scoping and reach tenant-scoped entity data unscoped. Vectors:

  • Substring: /forge/Account/forge/auth/me
  • Prefix + traversal: /forge/auth/me/../Account/123 (should an upstream proxy fail to normalize ..)

Flagged by automated security review (MEDIUM — Substring/Unanchored Allowlist Bypass).

Fix

  • Replace the substring check with an exact-match allowlist of the three known identity routes (/forge/auth/{login,refresh,me} — the path shape this layer observes, since it wraps the /forge nest but sits under the /api/v{n} version mount).
  • Extract the decision into a pure is_tenancy_exempt(path: &str) -> bool so the security-relevant logic is directly unit-testable.
  • Future /forge/auth/* routes are not silently exempted — they must be added to the allowlist explicitly.

Tests

  • Added unit tests for the exact-match path and for the substring/traversal/prefix/trailing-slash bypass vectors. The prior early-out had no regression coverage — the integration harness (auth_login.rs) mounts auth_routes() without this layer.
  • Full crate suite green: 462 passed. cargo clippy -p schema-forge-acton --all-targets: 0 warnings.

Follow-up to #70 / #72.

@rrrodzilla
fix(authz): anchor tenant-scope auth exemption to exact paths
ee9484c 
The tenant_scope middleware exempted identity endpoints from tenant
scoping with an unanchored substring test (`path.contains("/forge/auth/")`).
A crafted entity path that merely contained that substring — e.g.
`/forge/Account/forge/auth/me` — or a prefix+traversal path such as
`/forge/auth/me/../Account/123` would skip tenant scoping and reach
tenant-scoped data unscoped.

Replace the substring check with an exact-match allowlist of the three
known identity routes, extracted as a pure `is_tenancy_exempt` function
so the security-relevant decision is directly unit-testable. Add tests
covering the substring and traversal bypass vectors; the prior early-out
had no regression coverage because the integration harness does not layer
this middleware.

Follow-up to #70/#72.
@rrrodzilla rrrodzilla merged commit d4384ae into main May 28, 2026
@rrrodzilla rrrodzilla deleted the fix/tenant-scope-auth-exempt-anchor branch May 28, 2026 18:57
@rrrodzilla rrrodzilla mentioned this pull request May 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rrrodzilla