Uploaded image for project: 'Hippo CMS'
  1. Hippo CMS
  2. CMS-15618

Dynamic beans generates properties such as createdBy, modifiedBy which are not supposed to be generated

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • 15.5.0, 16.0.0
    • None
    • 1
    • Pulsar
    • Pulsar 322 - Cycle 6 Cooldown, Orion.Cycle7.Sprint2
    • Undetermined

    Description

      Details are explained in ENT-7058.

      The Problem

      Here is the way how dynamic beans currently works.

      Let's assume there is a content type named myproject:newsdocument. Here is the sample cnd and yaml for this content type: 

      cnd

      [myproject:newsdocument] > myproject:basedocument, hippostd:relaxed, hippotranslation:translated, hippostdpubwf:document
          orderable

      yaml

      /hippo:namespaces/myproject/newsdocument:
        jcr:primaryType: hippo:handle
        jcr:mixinTypes: ['mix:referenceable']
        /newsdocument:
          jcr:primaryType: hipposysedit:contenttype
          jcr:mixinTypes: ['hippostdpubwf:document', 'mix:referenceable']
          hippo:availability: [live, preview]
          hippostd:state: published
          hippostdpubwf:createdBy: admin
          hippostdpubwf:creationDate: 2020-12-10T21:13:39.215+01:00
          hippostdpubwf:lastModificationDate: 2020-12-10T21:13:39.215+01:00
          hippostdpubwf:lastModifiedBy: admin
          hippostdpubwf:publicationDate: 2020-12-10T21:13:39.215+01:00
          /hipposysedit:nodetype:
            jcr:primaryType: hipposysedit:nodetype
            hipposysedit:node: true
            hipposysedit:supertype: ['myproject:basedocument']
            /title:
              jcr:primaryType: hipposysedit:field
              hipposysedit:mandatory: false
              hipposysedit:multiple: false
              hipposysedit:ordered: false
              hipposysedit:path: myproject:title
              hipposysedit:primary: false
              hipposysedit:type: String
          /hipposysedit:prototype:
            jcr:primaryType: contentbeanstest:aggregateddocument
            jcr:mixinTypes: ['myproject:basedocument']
            myproject:title: ''

      myproject:newsdocument has 1 supertype myproject:basedocument, 1 property myproject:title and 1 cnd mixin hippostdpubwf:document (other mixins are not important for the problem).

      This means that the generated dynamic bean for newsdocument will have the properties title (its direct property) and all properties of myproject:basedocument (it's the supertype of newsdocument, let's assume it does not have any direct property in this example).

      The properties createdBy, creationDate, lastModificationDate, lastModifiedBy, publicationDate are also part of newsdocument since hippostdpubwf:document is the mixin of newsdocument. But the properties of hippostdpubwf:document won't be generated as part of the generated dynamic bean since they don't have the same namespace as the myproject:newsdocument (they belong to hippostdpubwf namespace). When generating a dynamic bean, only properties of its own namespace are generated, the rest is excluded.

      But there is an exception for this mechanism. If newsdocument uses plugins such as taxonomy, relateddocs and tags, their properties should be generated as well. Here is an example how it works if newsdocument has the supertype hippotaxonomy:classifiable:

      The generated dynamic bean for newsdocument will have the properties title (its direct property), all properties of myproject:basedocument, hippotaxonomy:keys and hippotaxonomy:keyswithancestors (they come from hippotaxonomy:classifiable). With the inclusion of hippotaxonomy:classifiable supertype, properties of newdocument from hippotaxonomy namespace are allowed and to be generated.

      This approach works fine for taxonomy, relateddocs and tags but it creates a vulnerability in the following case.

      Let's assume that newdocument has the supertype hippostdpubwf:audittrace. This type does not have any property, so in theory the generated dynamic bean should not have any extra fields. But according to the working mechanism of dynamic beans, all properties from hippostdpubwf namespace will be generated since it's a supertype. Hence, createdBy, creationDate, lastModificationDate, lastModifiedBy, publicationDate properties will be generated. Exposing these fields creates a vulnerability since they contain sensitive information (such as usernames). This is the problem case and this ticket solves this problem. 

      Solution

      Instead of allowing all properties from the supertype namespace, only the direct properties of the supertypes should be generated. For the given example, since the supertype hippostdpubwf:audittrace has no direct properties, generated newsdocument dynamic bean should have no properties from hippostdpubwf namespace.

      Attachments

        Activity

          People

            jhoffman Jeroen Hoffman
            ekarakus Erdem Karakus
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: