Fixed two IDOR vulnerabilities allowing authenticated users to access
metadata of any tenant namespace without proper authorization.
Changes:
- Added hasAccessToNamespace() for efficient single-namespace access checks
- Get() now verifies access before returning namespace metadata
- Watch() filters events per-namespace with proper authorization
- Returns NotFound (not Forbidden) to prevent tenant enumeration
Performance optimization:
- hasAccessToNamespace() lists RoleBindings only in target namespace
instead of listing all cluster RoleBindings (order of magnitude faster)
- Watch handler logs authorization errors for security audit
Additional fixes:
- Handle ServiceAccount subjects with empty namespace correctly
- Add klog error logging for failed authorization checks
Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| apis | ||
| apiserver | ||
| cmd/server | ||
| config | ||
| generated | ||
| lineage | ||
| ovnstatus | ||
| registry | ||
| version | ||