New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Race Condition Vulnerabilit that making user lose privileges #2

Open

superoo1 opened this issue Aug 3, 2023 · 1 comment

superoo1 commented Aug 3, 2023

code in https://github.com/anerg2046/go-admin-server/blob/master/app/http/repo/Role.go , the function Assign .
when giving someone privileges it will remove the user's all privileges first. In some Race Conditions , it will make user lose privileges

exploit:
requests the api in 50 threads ,

comm users has no privileges,and the slow sql log see delete all the user's casbin_rule

and you can not login the system .

Owner

anerg2046 commented Aug 3, 2023

已修改casbin为多协程模式，请更新子模块lib，实际上这个问题核心是casbin的问题，因为最终要落到数据库，如果数据库操作出问题了，casbin的权限管理就会出问题。不过一般来说，对用户的权限操作不会出现并发问题。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment