Empty update action with policies?

Here is a test code about my question.

And here is a resource code about my question.

Brief overview about my test

  • resource: Store, Inventory, Product
  • actor: Customer
  • actions:
    Store.purchase calls Inventory.purchase thru manage_relationship.
    Inventory.purchase calls Product.purchase thru manage_relationship.
  • policies:
    Store.purchase checks open and close time.
    Inventory.purchase checks inventory count.
    Product.purchase checks customer’s age.

Question

Product.purchase update action is an empty action with policies.
Even if it does nothing, but I want to check policies always.

  1. With require_atomic? false in action, always check policies.
    Without it, never check policies. Is this intended behavior?

  2. Using require_atomic? false to force policy check is weird,
    and I found access_type :strict forces policy check.
    Empty action with access_type :filter skips policy check.
    Is this intended behavior?

+ small questions (not related to content)

  1. How can I auto generate postgres schema migration? Should I write it manually?

1 & 2: atomic actions don’t bypass policies. Could you describe the specific behavior that you’re seeing? What specifically makes you say that it’s not checking policies?

  1. When you say auto generate postgres schema migration, what do you mean? You can generate migrations for resources with mix ash.codegen name_for_your_changes. Are you referring to something else there?
defmodule SonetLib.TestRepo.Migrations.AddSchema do
  @moduledoc """
  Updates resources based on their most recent snapshots.

  This file was autogenerated with `mix ash_postgres.generate_migrations`
  """

  use Ecto.Migration

  def up do
    create table(:customer, primary_key: false, prefix: "seven_eleven") do
      add :id, :uuid, null: false, default: fragment("uuid_generate_v7()"), primary_key: true
      add :age, :bigint, null: false
    end
  end

  def down do
    drop table(:customer, prefix: "seven_eleven")
  end
end

If I generate migration using mix ash.codegen,
I can see prefix: "seven_eleven" in the generated code,
but there is no execute("CREATE SCHEMA seven_eleven").

You can easily reproduce it by running my test in above repository.

Here’s what I seeing.

  1. I call Store.purchase action.
  2. Store.purchase calls Inventory.purchase thru manage_relationship.
  3. Inventory.purchase calls Product.purchase thru manage_relationship.
  4. If Product.purchase looks like below, policy check is skipped.
update :purchase

If Product.purchase looks like below, policy check is not skipped.

update :purchase do
  require_atomic? false
end

If I comment out require_atomic? false in my Product.purchase action, the test fails.

Okay, I’ve identified the issue. It’s a very specific edge case. Its “skipping” the policy check in the case that an atomic action would induce no changes, however it’s important to note that it only does that when it is explicitly requested that no fields be updated (regardless of their initial value). So a very rare case (to call an update action that statically will not update any fields).

Aside from it being rare, I would not classify this as a security vulnerability because you can already see the record (thats how you’d be updating it in this way), and if an update were to actually happen, it would have been prevented.

Still, its confusing and problematic behavior, especially because it “presents” as if policies are being skipped, which is not a good thing.

1 Like

Ah, right. Yeah in this case you’ll want to alter the migrations by hand to generate the schema. We could add something into ensure they exist if we haven’t already, would be worth opening an issue in ash_postgres.

Fixed in ash_postgres version 2.4.10

1 Like

Is it really that “rare” case?
I think policy can check resource’s own field only,
so empty action could be exist often for policy check.

Is there anything I can do instead of Product.purchase empty action in above example?

Can you tell me what is fixed exactly?
I cannot find anything related in ash_postgres changelog.

This is from the changelog: “when an atomic update is fully skipped, run the query if it could produce errors”. You should see the difference by looking at what SQL queries are run in your reproduction.

It’s not that rare to have an action that can never update your own fields, but it’s rare to have one that can statically update none of its own fields and has side effects and is performed atomically. Actions called after the main resource action are authorized by their respective resource’s policies though, so any “nested” updates would be caught in a future check. Additionally most side effects like that prevent an action from being atomic without explicit action. I.e if you had added a before or after action hook, it would have required that you set require_atomic? false

I’m not sure I understand the question. Does upgrading AshPostgres not solve the issue?

Actually, this is a security issue. My initial evaluation was wrong. Because you could have hooks running resource actions with authorize?: false, and have been relying on the update policies to prevent those side effects. I will issue a CVE for affected AshPostgres versions when I am back at my computer in a few hours, and I will also see if there is a way to programmatically identify actions that may have been affected.

Regardless, the latest version of ash_postgres fixes the issue.

Aha… I misunderstood. I thought the “schema related question” was fixed.

  1) test ash_postgres test complex policy with nested resources (SonetLib.Ash.Policies.CommonTest)
     test/sonet_lib/ash/policies/common_test.exs:119
     ** (Ash.Error.Unknown) Unknown Error

     * %Postgrex.Error{message: nil, postgres: %{code: :undefined_table, line: "1452", message: "relation \"product\" does not exist", position: "56", file: "parse_relation.c", unknown: "ERROR", severity: "ERROR", pg_code: "42P01", routine: "parserOpenTable"}, connection_id: 73416, query: "SELECT p0.\"id\", p0.\"is_adult_only\", p0.\"store_id\" FROM \"product\" AS p0 WHERE (p0.\"id\"::uuid = $1::uuid) AND ((CASE WHEN NOT (p0.\"is_adult_only\"::boolean) THEN $2 ELSE ash_raise_error($3::jsonb) END))"}
       (ecto_sql 3.12.1) lib/ecto/adapters/sql.ex:1096: Ecto.Adapters.SQL.raise_sql_call_error/1
       (ecto_sql 3.12.1) lib/ecto/adapters/sql.ex:994: Ecto.Adapters.SQL.execute/6
       (ecto 3.12.4) lib/ecto/repo/queryable.ex:232: Ecto.Repo.Queryable.execute/4
       (ecto 3.12.4) lib/ecto/repo/queryable.ex:19: Ecto.Repo.Queryable.all/3
       (ash_postgres 2.4.10) lib/data_layer.ex:1365: AshPostgres.DataLayer.update_query/4
       (ash 3.4.35) lib/ash/actions/update/bulk.ex:537: Ash.Actions.Update.Bulk.do_atomic_update/5
       (ash 3.4.35) lib/ash/actions/update/bulk.ex:266: Ash.Actions.Update.Bulk.run/6
       (ash 3.4.35) lib/ash/actions/update/update.ex:158: Ash.Actions.Update.run/4
       (ash 3.4.35) lib/ash.ex:2665: Ash.update/3
       (ash 3.4.35) lib/ash/actions/managed_relationships.ex:1397: Ash.Actions.ManagedRelationships.handle_update/9
       (ash 3.4.35) lib/ash/actions/managed_relationships.ex:735: anonymous fn/10 in Ash.Actions.ManagedRelationships.manage_relationship/7
       (elixir 1.17.0) lib/enum.ex:4858: Enumerable.List.reduce/3
       (elixir 1.17.0) lib/enum.ex:2585: Enum.reduce_while/3
       (ash 3.4.35) lib/ash/actions/managed_relationships.ex:732: Ash.Actions.ManagedRelationships.manage_relationship/7
       (ash 3.4.35) lib/ash/actions/managed_relationships.ex:554: anonymous fn/4 in Ash.Actions.ManagedRelationships.manage_relationships/4
       (elixir 1.17.0) lib/enum.ex:4858: Enumerable.List.reduce/3
       (elixir 1.17.0) lib/enum.ex:2585: Enum.reduce_while/3
       (ash 3.4.35) lib/ash/actions/update/update.ex:639: Ash.Actions.Update.manage_relationships/4
       (ash 3.4.35) lib/ash/actions/update/update.ex:503: anonymous fn/5 in Ash.Actions.Update.commit/3
       (ash 3.4.35) lib/ash/changeset/changeset.ex:3848: Ash.Changeset.run_around_actions/2
     stacktrace:
       (ecto_sql 3.12.1) lib/ecto/adapters/sql.ex:1096: Ecto.Adapters.SQL.raise_sql_call_error/1
       (ecto_sql 3.12.1) lib/ecto/adapters/sql.ex:994: Ecto.Adapters.SQL.execute/6
       (ecto 3.12.4) lib/ecto/repo/queryable.ex:232: Ecto.Repo.Queryable.execute/4
       (ecto 3.12.4) lib/ecto/repo/queryable.ex:19: Ecto.Repo.Queryable.all/3
       (ash_postgres 2.4.10) lib/data_layer.ex:1365: AshPostgres.DataLayer.update_query/4
       (ash 3.4.35) lib/ash/actions/update/bulk.ex:537: Ash.Actions.Update.Bulk.do_atomic_update/5
       (ash 3.4.35) lib/ash/actions/update/bulk.ex:266: Ash.Actions.Update.Bulk.run/6
       (ash 3.4.35) lib/ash/actions/update/update.ex:158: Ash.Actions.Update.run/4
       (ash 3.4.35) lib/ash.ex:2665: Ash.update/3
       (ash 3.4.35) lib/ash/actions/managed_relationships.ex:1397: Ash.Actions.ManagedRelationships.handle_update/9
       (ash 3.4.35) lib/ash/actions/managed_relationships.ex:735: anonymous fn/10 in Ash.Actions.ManagedRelationships.manage_relationship/7
       (elixir 1.17.0) lib/enum.ex:4858: Enumerable.List.reduce/3
       (elixir 1.17.0) lib/enum.ex:2585: Enum.reduce_while/3
       (ash 3.4.35) lib/ash/actions/managed_relationships.ex:732: Ash.Actions.ManagedRelationships.manage_relationship/7
       (ash 3.4.35) lib/ash/actions/managed_relationships.ex:554: anonymous fn/4 in Ash.Actions.ManagedRelationships.manage_relationships/4
       (elixir 1.17.0) lib/enum.ex:4858: Enumerable.List.reduce/3
       (elixir 1.17.0) lib/enum.ex:2585: Enum.reduce_while/3
       (ash 3.4.35) lib/ash/actions/update/update.ex:639: Ash.Actions.Update.manage_relationships/4
       (ash 3.4.35) lib/ash/actions/update/update.ex:503: anonymous fn/5 in Ash.Actions.Update.commit/3
       (ash 3.4.35) lib/ash/changeset/changeset.ex:3848: Ash.Changeset.run_around_actions/2

But another weird error is raised.
Not a forbidden error.

Okay, this is a separate issue that I will address in the morning as well (luckily not another security related one). In that particular place the schema is not being added to the query.

I was unable to reproduce this. I’m using your repository against the latest ash and ash_postgres. Can you confirm that this occurs in the repo that you provided? Did you have to change it in some way to see that behavior?

    policy action(:purchase) do
      # access_type :strict
      forbid_unless actor_present()
      authorize_if expr(not is_adult_only or ^actor(:age) >= 19)
    end

You need to comment out access_type :strict in Product policy.

Fixed in 2.4.11 of ash_postgres.

1 Like

CVE has been created here: Empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability. · Advisory · ash-project/ash_postgres · GitHub

1 Like