fix: vulnerability that allowed user to set acls for non-owned worlds

decentraland · Jan 27, 2024 · cc30c51 · cc30c51
1 parent 8a9edd8
commit cc30c51
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 0 deletions.
diff --git a/src/controllers/handlers/acl-handlers.ts b/src/controllers/handlers/acl-handlers.ts
@@ -3,6 +3,7 @@ import { AccessControlList, HandlerContextWithPath, PermissionType } from '../..
 import { AuthChain, EthAddress } from '@dcl/schemas'
 import { defaultPermissions } from '../../logic/permissions-checker'
 import { InvalidRequestError } from '@dcl/platform-server-commons'
+import { Authenticator } from '@dcl/crypto'
 
 export async function getAclHandler(
   ctx: HandlerContextWithPath<'worldsManager', '/acl/:world_name'>
@@ -35,6 +36,9 @@ export async function postAclHandler(
   if (!AuthChain.validate(authChain)) {
     throw new InvalidRequestError('Invalid payload received. Need to be a valid AuthChain.')
   }
+  if (!Authenticator.isValidAuthChain(authChain)) {
+    throw new InvalidRequestError('Invalid payload received. Need to be a valid AuthChain.')
+  }
 
   const permission = await namePermissionChecker.checkPermission(authChain[0].payload, worldName)
   if (!permission) {

diff --git a/test/integration/acl-handlers.spec.ts b/test/integration/acl-handlers.spec.ts
@@ -336,5 +336,47 @@ test('acl handlers', function ({ components, stubComponents }) {
         message: `Timestamp is not recent. Please sign a new ACL change request.`
       })
     })
+
+    it.only('fails when the auth chain is invalid', async () => {
+      const delegatedIdentity = await getIdentity()
+
+      const timestamp = new Date().toISOString()
+      const payload = {
+        resource: worldName,
+        allowed: [delegatedIdentity.realAccount.address],
+        timestamp
+      }
+
+      const invalidAuthChain = [
+        { type: 'SIGNER', payload: ownerIdentity.realAccount.address },
+        { type: 'SIGNER', payload: JSON.stringify(payload) } // Auth Chain node is invalid
+      ]
+
+      const r = await localFetch.fetch(`/acl/${worldName}`, {
+        body: JSON.stringify(invalidAuthChain),
+        method: 'POST'
+      })
+
+      expect(r.status).toEqual(400)
+      expect(await r.json()).toEqual({
+        error: 'Bad request',
+        message: `Invalid payload received. Need to be a valid AuthChain.`
+      })
+
+      const stored = await worldsManager.getMetadataForWorld(worldName)
+      expect(stored).toMatchObject({
+        permissions: {
+          ...defaultPermissions(),
+          deployment: {
+            type: PermissionType.AllowList,
+            wallets: []
+          },
+          streaming: {
+            type: PermissionType.AllowList,
+            wallets: []
+          }
+        }
+      })
+    })
   })
 })