Security: Privilege escalation via role permissions (create_role/update_role) #75
Labels
No labels
area:api
area:core
area:docs
area:infra
area:ux
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
rust
status:complete
status:partial
status:planned
type:bug
type:design
type:feature
type:infra
type:refactor
type:refactor
type:research
type:ux
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
icub3d/decentcom#75
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: Critical — found in code review 2026-07-07.
Problem
create_role(server/src/roles/handlers.rs:121) andupdate_role(:162) passreq.permissionsstraight to storage without checking that the caller actually holds those bits. They gate only onMANAGE_ROLESand role position.A user with
MANAGE_ROLESbut notADMINISTRATORcan:POST /roleswithpermissions = ADMINISTRATOR(1<<13) andposition = highest_role_position - 1(passes the position check).PUT /members/{self}/roles/{new_role}—add_member_roleonly checksensure_higher_than(role.position), which passes.compute_base_permissionsORs inADMINISTRATOR→ full server control.update_rolehas the same hole — it blocks editing the built-inadminrole's permissions but allows addingADMINISTRATORto any other lower-positioned role.Impact: any
MANAGE_ROLESholder escalates to full admin. Collapses the entire permission model.Fix
When the caller lacks
ADMINISTRATOR, reject anyreq.permissionscontaining bits the caller doesn't hold:(req.permissions & !caller.permissions) != 0→ 403. Specifically forbid settingADMINISTRATOR. Apply to bothcreate_roleandupdate_role.Acceptance
create_rolerejects permission bits the caller doesn't hold (403)update_rolerejects permission bits the caller doesn't hold (403)MANAGE_ROLES-only user gets 403 minting anADMINISTRATORrole