Skip to content

feat: Return more 404s vs 403s #2194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Jun 14, 2022
Merged

feat: Return more 404s vs 403s #2194

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
a92f132
feat: Return more 404s vs 403s
Emyrk Jun 8, 2022
4e23ea7
Fix unit test assertion
Emyrk Jun 8, 2022
0562d2c
return 404 when member of org not found
Emyrk Jun 9, 2022
c7f976e
fixup! return 404 when member of org not found
Emyrk Jun 9, 2022
6ef1647
chore: Manually forbidden after Authorize
Emyrk Jun 10, 2022
8f90af4
Use %q over %s
Emyrk Jun 10, 2022
a6d15ed
Fix authoirze test
Emyrk Jun 10, 2022
815baf9
Return vague 404
Emyrk Jun 10, 2022
3f742ba
Merge remote-tracking branch 'origin/main' into stevenmasley/404_vs_403
Emyrk Jun 10, 2022
8bfe1f7
fix test assert
Emyrk Jun 10, 2022
7155b2e
Merge remote-tracking branch 'origin/main' into stevenmasley/404_vs_403
Emyrk Jun 10, 2022
7aa76f7
Fix compile issue
Emyrk Jun 10, 2022
3f07738
Modify 404 message
Emyrk Jun 10, 2022
9a40838
Merge remote-tracking branch 'origin/main' into stevenmasley/404_vs_403
Emyrk Jun 13, 2022
2c1ac1c
Use proper 404s
Emyrk Jun 13, 2022
93c04db
If cannot read user, return 404
Emyrk Jun 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions cli/autostart_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ func TestAutostart(t *testing.T) {
clitest.SetupConfig(t, client, root)

err := cmd.Execute()
require.ErrorContains(t, err, "status code 403: Forbidden", "unexpected error")
require.ErrorContains(t, err, "status code 404", "unexpected error")
})

t.Run("Disable_NotFound", func(t *testing.T) {
Expand All @@ -126,7 +126,7 @@ func TestAutostart(t *testing.T) {
clitest.SetupConfig(t, client, root)

err := cmd.Execute()
require.ErrorContains(t, err, "status code 403: Forbidden", "unexpected error")
require.ErrorContains(t, err, "status code 404:", "unexpected error")
})

t.Run("Enable_DefaultSchedule", func(t *testing.T) {
Expand Down
4 changes: 2 additions & 2 deletions cli/ttl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ func TestTTL(t *testing.T) {
clitest.SetupConfig(t, client, root)

err := cmd.Execute()
require.ErrorContains(t, err, "status code 403: Forbidden", "unexpected error")
require.ErrorContains(t, err, "status code 404:", "unexpected error")
})

t.Run("Unset_NotFound", func(t *testing.T) {
Expand All @@ -166,7 +166,7 @@ func TestTTL(t *testing.T) {
clitest.SetupConfig(t, client, root)

err := cmd.Execute()
require.ErrorContains(t, err, "status code 403: Forbidden", "unexpected error")
require.ErrorContains(t, err, "status code 404:", "unexpected error")
})

t.Run("TemplateMaxTTL", func(t *testing.T) {
Expand Down
4 changes: 3 additions & 1 deletion coderd/files.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,9 @@ func (api *API) fileByHash(rw http.ResponseWriter, r *http.Request) {
}
file, err := api.Database.GetFileByHash(r.Context(), hash)
if errors.Is(err, sql.ErrNoRows) {
httpapi.Forbidden(rw)
httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this reintroduces the security concern that now you can distinguish between whether it exists or not even if you have no access. We should also return 404 on line 102 of this file.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see what you mean. Before we were returning 403 to be consistent, but that is not a good UX.

If authorize returns a 404 in some cases, can that be a bad UX?

My question is mainly, are these security concerns ones we should take as important right now. If we return a 403 vs 404 we do leak the info so the user knows if the resource exists or not. Is that a security issue we should take seriously right now? (Honest question)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security impact is minor in a real sense, but paints us in a "these people don't know what they're doing" light to security minded people, so IMO the impact is basically on par with the confusion we had before.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it look like I need to make Authorize return a 404 message consistent with the existing 404 message

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. It would be good to have one 404 code path that we use everywhere so we can standardize messaging.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spikecurtis Will fix this now.

Message: fmt.Sprintf("File %q not found.", hash),
})
return
}
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion coderd/files_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func TestDownload(t *testing.T) {
_, _, err := client.Download(context.Background(), "something")
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
})

t.Run("Insert", func(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion coderd/httpmw/organizationparam.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.H
UserID: user.ID,
})
if errors.Is(err, sql.ErrNoRows) {
httpapi.Write(rw, http.StatusForbidden, httpapi.Response{
httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
Message: "Not a member of the organization.",
})
return
Expand Down
2 changes: 1 addition & 1 deletion coderd/httpmw/organizationparam_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ func TestOrganizationParam(t *testing.T) {
rtr.ServeHTTP(rw, r)
res := rw.Result()
defer res.Body.Close()
require.Equal(t, http.StatusForbidden, res.StatusCode)
require.Equal(t, http.StatusNotFound, res.StatusCode)
})

t.Run("Success", func(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion coderd/organizations_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ func TestOrganizationByUserAndName(t *testing.T) {
_, err := client.OrganizationByName(context.Background(), codersdk.Me, "nothing")
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
})

t.Run("NoMember", func(t *testing.T) {
Expand Down
4 changes: 3 additions & 1 deletion coderd/parameters.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,9 @@ func (api *API) parameterRBACResource(rw http.ResponseWriter, r *http.Request, s
// Write error payload to rw if we cannot find the resource for the scope
if err != nil {
if xerrors.Is(err, sql.ErrNoRows) {
httpapi.Forbidden(rw)
httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
Message: fmt.Sprintf("Scope %q resource %q not found.", scope, scopeID),
})
} else {
httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
Message: err.Error(),
Expand Down
4 changes: 3 additions & 1 deletion coderd/templateversions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,7 +351,9 @@ func (api *API) fetchTemplateVersionDryRunJob(rw http.ResponseWriter, r *http.Re

job, err := api.Database.GetProvisionerJobByID(r.Context(), jobUUID)
if xerrors.Is(err, sql.ErrNoRows) {
httpapi.Forbidden(rw)
httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
Message: fmt.Sprintf("Provisioner job %q not found.", jobUUID),
})
return database.ProvisionerJob{}, false
}
if err != nil {
Expand Down
11 changes: 7 additions & 4 deletions coderd/users.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -604,13 +604,16 @@ func (api *API) organizationByUserAndName(rw http.ResponseWriter, r *http.Reques
organizationName := chi.URLParam(r, "organizationname")
organization, err := api.Database.GetOrganizationByName(r.Context(), organizationName)
if errors.Is(err, sql.ErrNoRows) {
// Return unauthorized rather than a 404 to not leak if the organization
// exists.
httpapi.Forbidden(rw)
httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
Message: fmt.Sprintf("Organization %q not found.", organizationName),
})
return
}
if err != nil {
httpapi.Forbidden(rw)
httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
Message: "Internal error fetching organization.",
Detail: err.Error(),
})
return
}

Expand Down
5 changes: 3 additions & 2 deletions coderd/workspaces.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,8 +192,9 @@ func (api *API) workspaceByOwnerAndName(rw http.ResponseWriter, r *http.Request)
})
}
if errors.Is(err, sql.ErrNoRows) {
// Do not leak information if the workspace exists or not
httpapi.Forbidden(rw)
httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
Message: fmt.Sprintf("Workspace %q not found.", workspaceName),
})
return
}
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion coderd/workspaces_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -295,7 +295,7 @@ func TestWorkspaceByOwnerAndName(t *testing.T) {
// Then:
// When we call without includes_deleted, we don't expect to get the workspace back
_, err = client.WorkspaceByOwnerAndName(context.Background(), workspace.OwnerName, workspace.Name, codersdk.WorkspaceByOwnerAndNameParams{})
require.ErrorContains(t, err, "403")
require.ErrorContains(t, err, "404")

// Then:
// When we call with includes_deleted, we should get the workspace back
Expand Down