Writing RDS Files to Arbitrary Locations

esalehi · 3 May 2023 13:40

When a table is fetched using the R function opal.table_get , the table is first exported to the local file system in the RDS file format and subsequently downloaded to the local R client. The export is triggered via an API call like the following:

POST /ws/project/ProjektA/commands/_export HTTP/2
Host: <mydatashieldhost.mydomain>
Cookie: opalsid=a4b56723-032b-465d-9eb8-e8047344gfhj
User-Agent: libcurl/7.88.1 r-curl/5.0.0 httr/1.4.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Accept: application/json
Content-Length: 217
{
"tables": [
"ProjektA.TestTableA"
],
"format": "rds",
"out": "/home/test_user1/R/7344353//file333393f81300.rds",
"nonIncremental": true,
"noVariables": false,
"copyNullValues": true,
"entityIdNames": "id"
}

we found that the server does not check the permissions on the path specified via the JSON field out. That means that even if the client specifies a path that they usually are not authorized to write to, the export still succeeds and creates said file in the virtual file system. During our test this was used to create a file called test.rds inside the virtual directory /home:

However, the file is locked to the user, but I think this also could be a vulnaribility.

Thank you

yannick · 3 May 2023 19:17

Please add an issue at Issues · obiba/opal · GitHub this is the preferred channel of communication

esalehi · 5 May 2023 08:31

Thank you for your reply. Issue created here:

github.com/obiba/opal

Security Problem with Writing RDS Files to Arbitrary Locations

opened 08:30AM - 05 May 23 UTC

esalehi92

**Describe the bug** we are using DataSHIELD for different projects with differ…ent users and roles. We found out that when each user (even with the least permission of “View dictionary and values of all tables” inside one project) can view the name of other projects and other users as well as the tasks they have done and their logs! **To Reproduce** The export is triggered via an API call like the following: ``` POST /ws/project/ProjektA/commands/_export HTTP/2 Host: <mydatashieldhost.mydomain> Cookie: opalsid=a4b56723-032b-465d-9eb8-e8047344gfhj User-Agent: libcurl/7.88.1 r-curl/5.0.0 httr/1.4.5 Accept-Encoding: gzip, deflate Content-Type: application/json Accept: application/json Content-Length: 217 { "tables": [ "ProjektA.TestTableA" ], "format": "rds", "out": "/home/test_user1/R/7344353//file333393f81300.rds", "nonIncremental": true, "noVariables": false, "copyNullValues": true, "entityIdNames": "id" } ``` **Expected behavior** we found that the server does not check the permissions on the path specified via the JSON field out. That means that even if the client specifies a path that they usually are not authorized to write to, the export still succeeds and creates said file in the virtual file system. During our test this was used to create a file called test.rds inside the virtual directory /home **Screenshots** ![image](https://user-images.githubusercontent.com/114484055/236411254-143c1220-e2f2-48c3-b02a-a1aeb54634cf.png) **Additional context** Security Authorization

Topic		Replies	Views
Error while evaluating resource on client side Analyst Support	8	417	23 September 2021
Error when adding "rds" data as the resource Analyst Support	5	300	2 March 2021
Is it possible to switch the context "R" and "Datashield" Developer support	2	299	2 December 2020
Errors when adding "matrix" format R file using resource Analyst Support	2	321	2 March 2021
An error using resourcer Analyst Support	3	270	6 April 2021

Writing RDS Files to Arbitrary Locations

Related Topics