[dev.icinga.com #13991] Possible race condition in API filters

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/13991

Created by jflach on 2017-01-13 08:51:24 +00:00

Assignee: jflach
Status: New
Target Version: (none)
Last Update: 2017-01-13 08:51:24 +00:00 (in Redmine)

Icinga Version: 2.6.0
Backport?: Not yet backported
Include in Changelog: 1

---

There is a possible race condition when running multiple API requests, causing a user to be able to access objects they are not allowed to.

Example:

$ for i in {1..10}; do (curl -k -s -u "test:7kPXq7iaqRUo3mk4" -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/schedule-downtime?type=Service' -d '{"comment": "test", "author": "test", "start_time": 1400000000, "end_time": 1500000000, "duration": 0}' | python -m json.tool | grep -F '"name":' | grep -vF '"name": "ns1!' &); done; sleep 10
            "name": "gateway!ping4!icinga2test-1461616884-3013",
            "name": "foo!ping6!icinga2test-1461616884-3023",
            "name": "foo!http!icinga2test-1461616884-3036",
            "name": "foo!swap!icinga2test-1461616884-3088",
            "name": "ns2!ping6!icinga2test-1461616884-3094",

[Crunsher]

I was unable to reproduce this with the current master.

I tried the example with 10 requests, 200 requests, working requests simultaneously