GeoFence: default access to vector attributes too permissive

Description

If an ALLOW rule in GeoFence does not specify an access type for any attribute (i.e. the attribute list is empty), the access will be "writable" for all attributes.

This is where the attribute list is created:
https://github.com/geoserver/geoserver/blob/2.10.0/src/community/geofence/src/main/java/org/geoserver/geofence/GeofenceAccessManager.java#L452-L455

https://github.com/geoserver/geoserver/blob/2.10.0/src/community/geofence/src/main/java/org/geoserver/geofence/GeofenceAccessManager.java#L583-L585

This is how the Query is generated using the attribute list:
https://github.com/geoserver/geoserver/blob/2.10.0/src/main/src/main/java/org/geoserver/security/VectorAccessLimits.java#L103-L121

As a first security fix, we may change the GeoFenceAccessManager so to made read only the access to attributes, if the attribute list is empty.
Then, as an improvement to this, we may add a property in GeoFence that tells how to deal with the missing attributes access type.

Also note that at the moment, if an attribute is missing in the rule details, it will not be visibile at all.
All in all, this is the current behaviour:

  • no attribute access set for an ALLOWed layer (attribute list is null/empty) --> readwrite access is granted to every attribute

  • A,B,C are the attributes for which an access type is assigned, but the attibute D is not assigned. D will not be visibile in GeoServer since it is not in the attribute list provided by the GeoFence engine to the GeoFenceAccessManager.

Environment

None

Assignee

Emanuele Tajariol

Reporter

Emanuele Tajariol

Triage

None

Fix versions

None

Affects versions

None

Components

Priority

Medium
Configure