Permission Inheritance Flaw
权限判断逻辑错误,导致低权限用户获得高权限访问。
常见错误:使用 includes() 或模糊匹配判断权限。
💡 以"编辑"角色登录,尝试请求 delete:all 权限。
编辑只有 write:content,但有漏洞的校验会通过!
// ❌ 有漏洞:模糊匹配
function hasPermission(userPermissions, required) {
return userPermissions.some(p =>
p.includes('write') || // 有任何 write 权限就通过
required.includes(p.split(':')[1]) // 模糊匹配
)
}
// 编辑有 write:content
// 请求 delete:all
// 因为 write:content 包含 'write',所以通过!
// ✅ 安全:精确匹配
function hasPermission(userPermissions, required) {
return userPermissions.includes(required)
}| 角色 | read:public | read:own | write:own | write:content | read:all | write:all | delete:all | manage:users |
|---|---|---|---|---|---|---|---|---|
| guest | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| user | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| editor | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| admin | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |