Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4432

Traversing the REST API could be possible to reach not accessible objects

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: 7.0
    • Fix Version/s: None
    • Component/s: REST API v7
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      3
    • Documentation Status:
      Needed

      Description

      The subpaths are accessible according to the rule defined for the main object this could be not appropriate.
      We should verify if this is appropriate for all our endpoints otherwise we should define a mechanism to protect such subPath.
      This is mainly due to the fact that the RestResourceController provides a default implementation that use the findOne to serve the subPaths request

             } else if (resource.getEmbeddedResources().get(rel) instanceof EmbeddedPage) {
                 // this is a very inefficient scenario. We have an embedded list
                  // already fully retrieved that we need to limit with pagination
                  // parameter. BTW change the default sorting is not implemented at
                  // the current stage and could be overcompex to implement
                  // if we really want to implement pagination we should implement a
                  // link repository so to fall in the previous block code
                  EmbeddedPage ep = (EmbeddedPage) resource.getEmbeddedResources().get(rel);
      ....
              } else {
                  if (resource.getEmbeddedResources().get(rel) == null) {
                      response.setStatus(HttpServletResponse.SC_NO_CONTENT);
                  }
                  return (ResourceSupport) resource.getEmbeddedResources().get(rel);
              }
      ...
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              bollini Andrea Bollini (4Science)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: