Comment resource improper handling

Created on 15 March 2025, 29 days ago

Problem/Motivation

This module has a resource improper handling vulnerability.

You can see this vulnerability by:
1. Enabling the the latest Drupal 11 JSON:API (REST API) module
2. As a user with Authed permission do these steps

Note that this was reported in private first and then cleared to be handled in public.

Steps to reproduce

When a user hides comments, other users should not have access to read comments previously posted within the article.
Step 1. For example admin post a comment in secret article.
Step 2. admin set the comment privilege to hidden.
Step 3. Authed User bubble couldn't view previous comment on website, but could view via JSON:API /jsonapi/comment/comment.

Proposed resolution

The reason for this vulnerability
The permissions of some resources are not refined enough, only the access control policy for ACL permissions is adopted, but the permissions of the resources themselves are not judged.

The possible fixes that could be taken might be for these APIs to be judged against ACLs, and Comment resources might also need to be judged for hidden permissions.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Fixed

Version

8.0 ⚰️

Component

comment.module

Created by

🇨🇳China bubblegvm

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @bubblegvm
Comment 29 days ago →
ivnish Kazakhstan
Looks like wrong status

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024