fix(security): don't grant reviewer authz shortcut on CREATE#30026
Open
sonika-shah wants to merge 1 commit into
Open
fix(security): don't grant reviewer authz shortcut on CREATE#30026sonika-shah wants to merge 1 commit into
sonika-shah wants to merge 1 commit into
Conversation
Contributor
✅ PR checks passedThe linked issue has a description and all required Shipping project fields set. Thanks! |
b6a4ea8 to
43591c8
Compare
43591c8 to
ad14e4f
Compare
ad14e4f to
2ecd574
Compare
DefaultAuthorizer.authorize() short-circuits policy evaluation when the caller is a reviewer of the resource. For CREATE operations the ResourceContext is a CreateResourceContext whose entity is the unsaved, caller-supplied request body. A user could therefore add themselves to the reviewers field of a create request to make isReviewer() return true and bypass RBAC, creating entities (e.g. Data Products) they have no Create permission for. This affects both the REST API and the MCP tool, which share the authorization path. Gate the reviewer shortcut so it only applies to already persisted entities, never to a CreateResourceContext. Reviewer-based authorization continues to work for Edit/View/approval operations on existing entities. Adds a regression test asserting policy evaluation still runs when a user self-assigns as a reviewer during CREATE.
2ecd574 to
f75227c
Compare
Code Review ✅ ApprovedCloses a privilege escalation vulnerability where callers could bypass RBAC during entity creation by self-assigning as reviewers. The authorization shortcut is now gated to exclude unpersisted entities, ensuring policies are correctly evaluated for all CREATE requests. OptionsDisplay: compact → Showing less information. Comment with these commands to change the behavior for this request:
Was this helpful? React with 👍 / 👎 | Gitar |
yan-3005
approved these changes
Jul 14, 2026
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Fixes #29837
Problem
DefaultAuthorizer.authorize()short-circuits policy evaluation when the caller is a reviewer of the resource:For CREATE operations the
ResourceContextInterfaceis aCreateResourceContext, whosegetEntity()returns the unsaved, caller-supplied request body.isReviewer()readsentity.getReviewers()from that in-flight entity, so a user can add themselves to thereviewersfield of a create request, makeisReviewer()returntrue, and skip RBAC entirely — creating entities (e.g. Data Products) they have noCreatepermission for.Because the REST API and the MCP tool share this authorization path, both are affected. The UI's own gating masks it, but the server does not enforce it.
Scope is broader than Data Products: any reviewer-supporting entity (Glossary, GlossaryTerm, DataProduct, Metric, Tag, DataContract, …) created via the standard path is exposed.
Reproduction (before this change)
Principal: a non-admin with only
DataConsumerrole → effectiveCreateondataProduct=notAllow.POST /dataProducts(no reviewers)operations [Create] not allowedPOST /dataProducts+reviewers:[{self}]Fix
Gate the reviewer shortcut so it only applies to already persisted entities, never a
CreateResourceContext:DefaultAuthorizer.isReviewer()— the hard-coded shortcut (the reported vector).RuleEvaluator.isReviewer()— the SpEL condition available to custom policies, which reads the same in-flight entity. No shipped policy uses it, but guarding it too closes the same bug class as defense-in-depth.Reviewer-based authorization continues to work for Edit/View/approval operations on existing entities. Verified the legitimate paths are unaffected: glossary-term approval is an UPDATE on a persisted term (
checkUpdatedByReviewer), and inherited parent reviewers are not present on the entity at authorize-time (prepareInternalnever populatesreviewers; storage runs inrepository.create()after authorize).Tests
DefaultAuthorizerTest.authorizeDoesNotTreatSelfAssignedReviewerAsReviewerOnCreate— policy evaluation still runs when a user self-assigns as reviewer during CREATE.RuleEvaluatorTest.test_isReviewer— extended so a self-assigned reviewer on aCreateResourceContextreturnsfalse.Both fail without the corresponding guard and pass with it. Full security/policy unit suites green:
DefaultAuthorizerTest(14),RuleEvaluatorTest(24),SubjectContextTest(11),ExpressionValidatorTest(35).Greptile Summary
This PR fixes the reviewer authorization shortcut for create requests. The main changes are:
CreateResourceContextinDefaultAuthorizer.RuleEvaluator.isReviewer().Confidence Score: 5/5
This looks safe to merge.
Important Files Changed
isReviewer()from treating create-request reviewers as persisted reviewers.isReviewer()is false for self-assigned reviewers on create contexts.Reviews (2): Last reviewed commit: "fix(security): don't grant reviewer auth..." | Re-trigger Greptile
Context used (3)