Skip to content

Latest commit

 

History

History
181 lines (138 loc) · 10.6 KB

mitigations.md

File metadata and controls

181 lines (138 loc) · 10.6 KB

Mitigation Strategies Analysis for spatie/laravel-permission

Mitigation Strategy: Principle of Least Privilege and Granular Permissions

  • Description:

    1. Identify Actions: List all distinct actions users can perform within the application.
    2. Create Permissions (using spatie/laravel-permission): Use the package's methods (Permission::create(['name' => '...'])) to create specific permissions for each action. Avoid broad permissions.
    3. Create Roles (using spatie/laravel-permission, if needed): Use the package's methods (Role::create(['name' => '...'])) to group related permissions into roles only if it simplifies management without granting excessive access.
    4. Assign Permissions/Roles (using spatie/laravel-permission): Use the package's methods ($user->givePermissionTo(...), $user->assignRole(...)) to grant only the minimum required permissions/roles to users.
    5. Avoid Default Permissions: Do not assign any permissions by default.
    6. Regular Review: Regularly review permissions and roles created and assigned using the package.

  • Threats Mitigated:

    • Incorrect Role/Permission Assignment (Human Error): (Severity: High)
    • "Super Admin" Bypass (Partial): (Severity: High)
    • Insider Threats: (Severity: Medium)

  • Impact:

    • Incorrect Role/Permission Assignment: Risk significantly reduced.
    • "Super Admin" Bypass: Partial risk reduction.
    • Insider Threats: Significant risk reduction.

  • Currently Implemented:

    • Permissions and roles are defined using spatie/laravel-permission's methods in seeders.
    • Basic user role assignment is done using $user->assignRole(...).

  • Missing Implementation:

    • Granular permissions are missing for some features.
    • Regular, scheduled reviews are not formalized.
    • No automated tests specifically verify minimum permissions.

Mitigation Strategy: Mandatory Code Reviews for Authorization Changes (Focusing on spatie/laravel-permission Usage)

  • Description:

    1. Policy Enforcement: Enforce code reviews for any code change involving spatie/laravel-permission's methods or Blade directives.
    2. Checklist (Specific to spatie/laravel-permission): Include in the checklist:
      • Correct usage of can, @can, hasRole, hasPermissionTo, givePermissionTo, assignRole, revokePermissionTo, removeRole, etc.
      • Proper cache invalidation using forgetCachedPermissions.
      • No hardcoded role or permission names (use constants or configuration).
    3. Reviewer Training: Ensure reviewers are familiar with spatie/laravel-permission.

  • Threats Mitigated:

    • Incorrect Role/Permission Assignment (Human Error): (Severity: High)
    • Improper use of Blade Directives: (Severity: Medium)
    • Relying solely on hasRole/hasPermissionTo: (Severity: Medium)
    • "Super Admin" Bypass (Partial): (Severity: High)

  • Impact:

    • Incorrect Role/Permission Assignment: High risk reduction.
    • Improper use of Blade Directives: High risk reduction.
    • Relying solely on hasRole/hasPermissionTo: High risk reduction.
    • "Super Admin" Bypass: Moderate risk reduction.

  • Currently Implemented:

    • Code reviews are mandatory.

  • Missing Implementation:

    • A dedicated authorization checklist (focused on spatie/laravel-permission) is missing.
    • Formal training on the package for reviewers is inconsistent.

Mitigation Strategy: Automated Authorization Testing (Targeting spatie/laravel-permission)

  • Description:

    1. Test Types: Create tests that specifically use spatie/laravel-permission's methods and features:
      • Test can, hasRole, hasPermissionTo in various scenarios.
      • Test Blade directives (@can, @role, etc.).
      • Test permission/role assignment and revocation.
      • Test cache invalidation (forgetCachedPermissions).
    2. Test Data: Create test users and assign roles/permissions using the package's methods.
    3. Assertions: Verify the expected behavior of the package's methods and directives.
    4. Continuous Integration: Integrate tests into the CI pipeline.

  • Threats Mitigated:

    • Incorrect Role/Permission Assignment (Human Error): (Severity: High)
    • Improper use of Blade Directives: (Severity: Medium)
    • Relying solely on hasRole/hasPermissionTo: (Severity: Medium)
    • Caching Issues: (Severity: Medium)
    • Regression Bugs: (Severity: Medium)

  • Impact:

    • Incorrect Role/Permission Assignment: High risk reduction.
    • Improper use of Blade Directives: High risk reduction.
    • Relying solely on hasRole/hasPermissionTo: High risk reduction.
    • Caching Issues: Moderate risk reduction.
    • Regression Bugs: High risk reduction.

  • Currently Implemented:

    • Some feature tests use @can and related methods.

  • Missing Implementation:

    • Comprehensive negative tests are lacking.
    • Dedicated test users with specific roles/permissions are not consistently used.
    • Tests for cache invalidation are missing.

Mitigation Strategy: Proper Usage of Blade Directives (Provided by spatie/laravel-permission)

  • Description:

    1. Understand Directives: Thoroughly understand @can, @cannot, @role, @hasrole, @hasanyrole, @hasallroles, @unlessrole, @haspermissionto, @hasanypermission, @hasallpermissions. Refer to the package documentation.
    2. Always Pass Model Instances: When checking permissions on a specific model instance, always pass the instance to @can.
    3. Avoid Logic in Views: Minimize complex authorization logic directly within Blade templates. Use Policies and helper methods in your controllers or models.
    4. Code Reviews: Review Blade templates for correct directive usage.

  • Threats Mitigated:

    • Improper use of Blade Directives: (Severity: Medium) - Prevents authorization bypasses due to incorrect directive usage.

  • Impact:

    • Improper use of Blade Directives: High risk reduction.

  • Currently Implemented:

    • Blade directives are used for authorization checks in views.

  • Missing Implementation:

    • Consistent enforcement of passing model instances to @can is not always followed.
    • Code reviews don't always catch subtle errors in directive usage.

Mitigation Strategy: Proper Cache Management (Using spatie/laravel-permission's Features)

  • Description:

    1. Understand Caching: Understand how the package caches permissions.
    2. Cache Clearing: Whenever roles or permissions are modified (using the package's methods), explicitly call forgetCachedPermissions().
    3. Testing: Include automated tests that specifically verify cache invalidation:
      • Modify roles/permissions using the package's methods.
      • Call forgetCachedPermissions().
      • Verify changes are reflected in authorization checks.

  • Threats Mitigated:

    • Caching Issues: (Severity: Medium)

  • Impact:

    • Caching Issues: High risk reduction.

  • Currently Implemented:

    • forgetCachedPermissions() is called in some places.

  • Missing Implementation:

    • Consistent cache clearing is not implemented everywhere.
    • Automated tests for cache invalidation are missing.

Mitigation Strategy: Prefer can and Policies over hasRole/hasPermissionTo

  • Description:

    1. Understand the Difference: Understand that can (and @can) checks against model policies, while hasRole and hasPermissionTo only check for the presence of a role or permission.
    2. Use can by Default: In most cases, use can (and @can) for authorization checks. This ensures that model-specific authorization logic (defined in Policies) is considered.
    3. Use hasRole/hasPermissionTo Sparingly: Use hasRole and hasPermissionTo only when you specifically need to check if a user possesses a role or permission, and you are certain no model policies are involved.
    4. Code Reviews: Ensure code reviews check for appropriate use of these methods.

  • Threats Mitigated:

    • Relying solely on hasRole/hasPermissionTo: (Severity: Medium) - Prevents authorization bypasses due to neglecting model policies.

  • Impact:

    • Relying solely on hasRole/hasPermissionTo: High risk reduction.

  • Currently Implemented:

    • can and @can are used in many places.

  • Missing Implementation:

    • Consistent use of can over hasRole/hasPermissionTo is not always followed.
    • Code reviews don't always catch incorrect usage.

Mitigation Strategy: Avoid Wildcard Permissions

  • Description:

    1. Understand Wildcard: The wildcard permission (*) grants access to everything.
    2. Avoid Wildcard: Do not assign the wildcard permission (*) to any role, especially the "Super Admin" role.
    3. Explicit Permissions: Explicitly assign the necessary permissions to roles, even for administrative roles.
    4. Review Existing Roles: Review all existing roles (created using spatie/laravel-permission) and remove the wildcard permission if it exists.

  • Threats Mitigated:

    • "Super Admin" Bypass (Partial): (Severity: High) - Reduces the impact of a compromised super admin account.
    • Incorrect Role/Permission Assignment (Human Error): (Severity: High) - Limits the scope of damage if a role with the wildcard permission is accidentally assigned.

  • Impact:

    • "Super Admin" Bypass: Moderate risk reduction.
    • Incorrect Role/Permission Assignment: High risk reduction.

  • Currently Implemented:

    • None.

  • Missing Implementation:

    • The Super Admin role currently has the wildcard permission. This needs to be removed and replaced with explicit permissions.