Описание
SpiceDB WriteRelationships fails silently if payload is too big
Impact
Users who:
- Use the exclusion operator somewhere in their authorization schema.
- Have configured their SpiceDB server such that
--write-relationships-max-updates-per-callis bigger than 6500. - Issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows.
Users will:
- Receive a successful response from their
WriteRelationshipscall, when in reality that call failed. - Receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion.
Patches
Upgrade to v.145.2.
Workarounds
Set --write-relationships-max-updates-per-call to 1000.
Пакеты
github.com/authzed/spicedb
< 1.45.2
1.45.2
Связанные уязвимости
SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `--write-relationships-max-updates-per-call` to `1000`.