Team scope authorization bypass when Post/Put request with :team_name in body, allows HTTP parameter pollution

Impact

For some Post/Put Concourse endpoint containing :team_name in the URL, a Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team. The user only needs a valid user session and belongs to team2.

Exploitable endpoints:

{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/builds/:build_name", Method: "POST", Name: RerunJobBuild},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/pause", Method: "PUT", Name: PauseJob},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/unpause", Method: "PUT", Name: UnpauseJob},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/schedule", Method: "PUT", Name: ScheduleJob},

{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/pause", Method: "PUT", Name: PausePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/unpause", Method: "PUT", Name: UnpausePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/expose", Method: "PUT", Name: ExposePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/hide", Method: "PUT", Name: HidePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/rename", Method: "PUT", Name: RenamePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/archive", Method: "PUT", Name: ArchivePipeline},

{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/enable", Method: "PUT", Name: EnableResourceVersion},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/disable", Method: "PUT", Name: DisableResourceVersion},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/pin", Method: "PUT", Name: PinResourceVersion},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/unpin", Method: "PUT", Name: UnpinResource},
	
{Path: "/api/v1/teams/:team_name/artifacts", Method: "POST", Name: CreateArtifact},

Steps to reproduce

1. Set up a Concourse deployment with team 1 (with pipeline 1) and team 2. User is in team 2 but not team 1.
2. Login as user to team 2.

fly -t ci login -n team2 -u user -p password

3. Try pausing pipeline 1 in team 1 using fly. Verify the command output is pipeline 'pipeline1' not found.

fly -t ci pause-pipeline -p pipeline1

4. Send a customized request through fly curl command intend to pause pipeline 1 again.

fly -t ci curl /api/v1/teams/team1/pipelines/pipeline1/pause -- -X PUT -d ":team_name=team2" -H "Content-type: application/x-www-form-urlencoded"

5. pipeline 1 in team 1 will be paused.

In step 4, the parameter pollution would allow an user from any team to pause a pipeline that belongs to other team.

Patches

Concourse v6.7.9 and v7.8.3 were both released with a fix on October 12, 2022.

Instead of using FormValue to parse team_name in the request, where allows body parameters to take precedence over URL query string values, both patch versions are now using URL.Query().Get() over multiple scope handlers to prevent the parameter pollution.

Workarounds

No known workarounds for existing versions.

References

• https://github.com/concourse/concourse/pull/8566: PR with the fix

For more information

If you have any questions or comments about this advisory, you may reach us privately at [email protected].