Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1354

Crowd does not protect itself against searchPrincipals without a predicate

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Won't Fix
    • None
    • Database
    • None

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      See https://extranet.atlassian.com/jira/browse/ADM-2735

      <?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<soap:Body>
		<ns1:searchPrincipals xmlns:ns1="urn:SecurityServer">
			<ns1:in0>
				<name xmlns="http://authentication.integration.crowd.atlassian.com">xxx</name>
				<token xmlns="http://authentication.integration.crowd.atlassian.crowd">xxx</token>
			</ns1:in0>
			<ns1:in1/>
		</ns1:searchPrincipals>
	</soap:Body>
</soap:Envelope>

      Causes crowd to return all principals, which consumes an potentially unlimited amount of heap, cpu and db resources.

            [CWD-1354] Crowd does not protect itself against searchPrincipals without a predicate

            Katherine Yabut made changes -
            Workflow Original: JAC Suggestion Workflow [ 3551241 ] New: JAC Suggestion Workflow 3 [ 3630981 ]
            Status Original: RESOLVED [ 5 ] New: Closed [ 6 ]
            Monique Khairuliana (Inactive) made changes -
            Parent Original: CWD-1508 [ 84932 ]
            Affects Version/s Original: 1.5.2 [ 14263 ]
            Workflow Original: JAC Sub-task Workflow [ 3389515 ] New: JAC Suggestion Workflow [ 3551241 ]
            Issue Type Original: Sub-task [ 6 ] New: Suggestion [ 10000 ]
            Priority Original: Medium [ 3 ]
            Status Original: Closed [ 6 ] New: RESOLVED [ 5 ]
            set-jac-bot made changes -
            Link New: This issue is detailed by CWD-1508 [ CWD-1508 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 1510627 ] New: JAC Sub-task Workflow [ 3389515 ]
            Lukasz Pater made changes -
            Resolution New: Won't Fix [ 2 ]
            Status Original: Open [ 1 ] New: Closed [ 6 ]
            vkharisma made changes -
            Link New: This issue is caused by JRACLOUD-16131 [ JRACLOUD-16131 ]
            Owen made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 [ 1390452 ] New: Simplified Crowd Development Workflow v2 - restricted [ 1510627 ]
            Owen made changes -
            Workflow Original: Crowd Development Workflow v2 [ 273071 ] New: Simplified Crowd Development Workflow v2 [ 1390452 ]
            joe made changes -
            Priority Original: Critical [ 2 ] New: Major [ 3 ]
            joe made changes -
            Assignee Original: David O'Flynn [Atlassian] [ doflynn ]

              Unassigned Unassigned
              dcheney David Cheney (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: