Listen to this Post
The vulnerability occurs in the Ash policy evaluation logic when a bypass policy with a true condition fails its authorization checks, and no other policies have matching conditions. The bug is in lib/ash/policy/policy.ex at line 69, where the code incorrectly uses the bypass condition expression (cond_expr) instead of the complete authorization expression (complete_expr) when updating the `one_condition_matches` state. This flawed logic means that if a bypass policy’s condition is true (e.g., always()), but its authorization checks fail (e.g., `authorize_if actor_attribute_equals(:is_admin, true)` for a non-admin user), the system still considers “one condition matches” to be true. When combined with subsequent policies that have non-matching conditions (making `all_policies_match` true), the final authorization decision becomes true AND true, incorrectly granting access. The system mistakenly allows the bypass condition’s truth to satisfy the requirement for at least one applicable policy, even though the bypass policy itself did not successfully authorize the request.
Platform: Ash Framework
Version: Pre PR 2365 fix
Vulnerability: Authorization Bypass
Severity: Critical
date: 2024-XX-XX
Prediction: Patch 2024-06-15
What Undercode Say:
git log --oneline | grep 79749c26 git show 79749c26
Test to reproduce the issue mix test test/ash/policy/policy_test.exs:120
Code diff for the fix git diff HEAD~1 lib/ash/policy/policy.ex
How Exploit:
Malicious query targeting resource with flawed bypass policy Ash.get(Resource, "sensitive_data_id", actor: non_admin_user)
Protection from this CVE:
Update Ash Framework
Review bypass policies
Avoid always() conditions
Impact:
Unauthorized data access
Policy enforcement failure
Privilege escalation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
