Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Claiming any existing composite resources would break multi tenancy and lead to security issue #783

Open
gberche-orange opened this issue Jun 6, 2024 · 0 comments · May be fixed by #784
Labels
bug Something isn't working

Comments

@gberche-orange
Copy link
Member

gberche-orange commented Jun 6, 2024

URL

https://docs.crossplane.io/v1.16/concepts/claims/#claiming-existing-composite-resources

What's Wrong?

The existing wording in the documentation implicitly tells that an existing composite resource can be claimed in any namespace just by referencing its name. This would be an important threat scenario to add to https://github.com/crossplane/crossplane/blob/master/security/ADA-security-audit-23.pdf section "Crossplane Claims" page 10

Doc should detail that there is a protection mechanism in place to maintain multi-tenancy :

crossplane/crossplane#5423 Multiple claims on a single composite resource

I'm unable to make multiple claims on the same CompositeResource object, whichever Claim object grabs it first wins.

Also doc should be detail whether a claim is vulnerable to a race condition attacks:

  • an attacker tries to take over an existing composite when a claim is being deleted
  • an attacker tries to take over an composite being created

Threat scenario if doc is correct

Given a platform consumer using namespaces to distinguish different roles (e.g. prod vs non-prod)

Given actor-1 in namespace-prod provisions "prod-confidential-db" claim, and writes confidential to it. Let's call prod-composite-1 the name of the associated composite object.

Given actor-2 learns or guesses the name of the prod-composite-1 resource, and creates a claim using resourceRef in namespace non-prod

apiVersion: example.org/v1alpha1
kind: database
metadata:
  name: claiming-another-team-database
spec:
  resourceRef:
    apiVersion: example.org/v1alpha1
    kind: XMyDatabase
    name: prod-composite-1

Then, a connection secret in the namespace would provide access to the production database from the non-prod namespace

@gberche-orange gberche-orange added the bug Something isn't working label Jun 6, 2024
gberche-orange added a commit to gberche-orange/docs that referenced this issue Jun 6, 2024
…rror

CompositeAlreadyBoundError should be returned if a composite is already bound to a claim

Fixes crossplane#783
@gberche-orange gberche-orange changed the title Claiming existing composite resources would break multi tenancy and lead to security issue Claiming any existing composite resources would break multi tenancy and lead to security issue Jun 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant