pip-CVE-2026-25660--claude-opus-4-8--mKNBter
CVE-2026-25660 · claude-opus-4-8
passgate full· reward 0.92
- turns
- 188
- tokens in
- 4.9M
- tokens out
- 43k
- exit
- passed
Instruction
The Python project codechecker contains a security vulnerability in the CWE-863 (Incorrect Authorization) class.
Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping all existing functionality intact. If you find no such vulnerability, make no changes.
The verifier inspects the permission-checking code paths to ensure unauthenticated requests are handled correctly when authentication is enabled on the server.
Reward signals
r_apply1.00
r_test_pass1.00
r_pass_to_pass1.00
r_locality0.62
r_minimality0.55
Verifier · 20/20 security · 1/1 pass-to-pass
- ../dev::test_has_permission_rejects_none_session_when_auth_enabled0ms
- ../dev::test_has_permission_grants_none_session_when_auth_disabled0ms
- ../dev::test_has_permission_accepts_auth_enabled_param0ms
- ../dev::test_require_permission_denies_none_user_when_auth_enabled0ms
- ../dev::test_require_manager_denies_none_user_when_auth_enabled0ms
- ../dev::test_require_permission_accepts_auth_enabled0ms
- ../dev::test_require_manager_accepts_auth_enabled0ms
- ../dev::test_no_silent_bypass_via_missing_auth_flag0ms
- ../dev::test_product_server_passes_auth_flag0ms
- ../dev::test_authentication_passes_auth_flag_to_manager0ms
- ../dev::test_regression_root_superuser_shortcut0ms
- ../dev::test_regression_has_permission_calls_perm_impl0ms
- ../dev::test_regression_require_permission_walks_ancestors0ms
- ../dev::test_regression_require_manager_iterates_managed_by0ms
- ../dev::test_module_loads_with_permission_registry0ms
- ../dev::test_get_permissions_preserves_scope_filtering0ms
- ../dev::test_api_enum_round_trips_existing_permissions0ms
- ../dev::test_handler_construction_filters_extra_params0ms
- ../dev::test_permission_relationship_metadata_is_preserved0ms
- ../dev::test_new_permission_registration_round_trips0ms
Candidate patch
web/server/codechecker_server/api/authentication.py
index f12f8e6..4482be4 100644@@ -599,20 +599,22 @@ class ThriftAuthHandler: params = ThriftAuthHandler.__unpack_extra_params(extra_params, session) + is_auth_enabled = self.__manager.is_enabled perms = [] for perm in permissions.get_permissions(scope): should_return = True handler = make_handler(perm, params) if should_return and perm_filter.given:- should_return = handler.has_permission(self.__auth_session)+ should_return = handler.has_permission(self.__auth_session,+ is_auth_enabled) if should_return and perm_filter.canManage: # If the user has any of the permissions that are # authorised to manage the currently iterated permission, # the filter passes. should_return = require_manager(- perm, params, self.__auth_session)+ perm, params, self.__auth_session, is_auth_enabled) if should_return: perms.append(perm)@@ -631,7 +633,8 @@ class ThriftAuthHandler: perm, params = ThriftAuthHandler.__create_permission_args( permission, extra_params, session) - if not require_manager(perm, params, self.__auth_session):+ if not require_manager(perm, params, self.__auth_session,+ self.__manager.is_enabled): raise codechecker_api_shared.ttypes.RequestFailed( codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED, f"You can not manage the permission '{perm.name}'")@@ -654,7 +657,8 @@ class ThriftAuthHandler: perm, params = ThriftAuthHandler.__create_permission_args( permission, extra_params, session) - if not require_manager(perm, params, self.__auth_session):+ if not require_manager(perm, params, self.__auth_session,+ self.__manager.is_enabled): raise codechecker_api_shared.ttypes.RequestFailed( codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED, f"You can not manage the permission '{perm.name}'")@@ -677,7 +681,8 @@ class ThriftAuthHandler: perm, params = ThriftAuthHandler.__create_permission_args( permission, extra_params, session) - if not require_manager(perm, params, self.__auth_session):+ if not require_manager(perm, params, self.__auth_session,+ self.__manager.is_enabled): raise codechecker_api_shared.ttypes.RequestFailed( codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED, f"You can not manage the permission '{perm.name}'")@@ -703,7 +708,8 @@ class ThriftAuthHandler: permission, extra_params, session) return require_permission(perm, params,- self.__auth_session)+ self.__auth_session,+ self.__manager.is_enabled) # ============= Authorization, permission management ============= web/server/codechecker_server/api/product_server.py
index 51f69ca..0ebad18 100644@@ -84,7 +84,8 @@ class ThriftProductHandler: "You are not authorized to execute this action.") if not any(permissions.require_permission(- perm, args, self.__auth_session)+ perm, args, self.__auth_session,+ self.__server.manager.is_enabled) for perm in required): raise codechecker_api_shared.ttypes.RequestFailed( codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,@@ -95,11 +96,13 @@ class ThriftProductHandler: def __administrating(self, args): """ True if the current user can administrate the given product. """ if permissions.require_permission(permissions.SUPERUSER, args,- self.__auth_session):+ self.__auth_session,+ self.__server.manager.is_enabled): return True if permissions.require_permission(permissions.PRODUCT_ADMIN, args,- self.__auth_session):+ self.__auth_session,+ self.__server.manager.is_enabled): return True return False@@ -126,9 +129,11 @@ class ThriftProductHandler: 'productID': product.id} has_product_permission = permissions.require_permission(- permissions.PRODUCT_VIEW, args, self.__auth_session)+ permissions.PRODUCT_VIEW, args, self.__auth_session,+ self.__server.manager.is_enabled) has_global_permission = permissions.require_permission(- permissions.PERMISSION_VIEW, args, self.__auth_session)+ permissions.PERMISSION_VIEW, args, self.__auth_session,+ self.__server.manager.is_enabled) has_access_permission = has_product_permission or has_global_permission admin_perm_name = permissions.PRODUCT_ADMIN.name@@ -180,7 +185,8 @@ class ThriftProductHandler: 'productID': prod.id} if permissions.require_permission( permissions.PRODUCT_ADMIN,- args, self.__auth_session):+ args, self.__auth_session,+ self.__server.manager.is_enabled): return True return Falseweb/server/codechecker_server/api/report_server.py
index 26613ce..110033c 100644@@ -1480,7 +1480,8 @@ class ThriftRequestHandler: "You are not authorized to execute this action.") if not any(permissions.require_permission(- perm, args, self._auth_session)+ perm, args, self._auth_session,+ self._manager.is_enabled) for perm in required): raise codechecker_api_shared.ttypes.RequestFailed( codechecker_api_shared.ttypes.ErrorCode.UNAUTHORIZED,web/server/codechecker_server/api/tasks.py
index dc2a1fb..440b4ef 100644@@ -114,10 +114,12 @@ class ThriftTaskHandler: def __init__(self, configuration_database_sessionmaker, task_manager: TaskManager,- auth_session):+ auth_session,+ session_manager): self._config_db = configuration_database_sessionmaker self._task_manager = task_manager self._auth_session = auth_session+ self._session_manager = session_manager def _get_username(self) -> Optional[str]: """@@ -156,13 +158,15 @@ class ThriftTaskHandler: permissions.PRODUCT_ADMIN, {"config_db_session": session, "productID": associated_product.id},- self._auth_session)+ self._auth_session,+ self._session_manager.is_enabled) if not has_right_to_query_status: has_right_to_query_status = permissions.require_permission( permissions.SUPERUSER, {"config_db_session": session},- self._auth_session)+ self._auth_session,+ self._session_manager.is_enabled) if not has_right_to_query_status: raise RequestFailed(@@ -188,7 +192,8 @@ class ThriftTaskHandler: if not permissions.require_permission( permissions.SUPERUSER, {"config_db_session": session},- self._auth_session):+ self._auth_session,+ self._session_manager.is_enabled): raise RequestFailed( ErrorCode.UNAUTHORIZED, "Querying service tasks (not associated with a "@@ -199,7 +204,8 @@ class ThriftTaskHandler: if not permissions.require_permission( permissions.PRODUCT_ADMIN, {"config_db_session": session, "productID": prod_id},- self._auth_session)]+ self._auth_session,+ self._session_manager.is_enabled)] if no_admin_products: no_admin_products = [session.get(Product, product_id) .endpoint@@ -299,7 +305,8 @@ class ThriftTaskHandler: has_superuser = permissions.require_permission( permissions.SUPERUSER, {"config_db_session": session},- self._auth_session)+ self._auth_session,+ self._session_manager.is_enabled) if not has_superuser: continue else:@@ -314,7 +321,8 @@ class ThriftTaskHandler: permissions.PRODUCT_ADMIN, {"config_db_session": session, "productID": db_task.product_id},- self._auth_session)+ self._auth_session,+ self._session_manager.is_enabled) if not product_admin_rights[db_task.product_id]: continue @@ -336,7 +344,8 @@ class ThriftTaskHandler: if not permissions.require_permission( permissions.SUPERUSER, {"config_db_session": session},- self._auth_session):+ self._auth_session,+ self._session_manager.is_enabled): raise RequestFailed( ErrorCode.UNAUTHORIZED, "cancelTask() requires server-level SUPERUSER rights.")web/server/codechecker_server/permissions.py
index 07df5cc..f0e05e9 100644@@ -198,17 +198,19 @@ class PermissionHandler(metaclass=ABCMeta): self._perm_name, 'group' if is_group else 'user', auth_name) - def has_permission(self, auth_session):+ def has_permission(self, auth_session, is_auth_enabled): """ Returns whether or not the given authenticated user session (or None, if authentication is disabled on the server!) is given the current permission. """ if not auth_session:- # If the user does not have an auth_session it means it is a guest- # and the server is running in authentication disabled mode.- # All permissions are automatically granted in this case.- return True+ # If the user does not have an auth_session it means it is a guest.+ # All permissions are automatically granted when authentication is+ # not enabled on the server. When authentication IS enabled, an+ # unauthenticated (anonymous) request must NOT be granted any+ # permission.+ return not is_auth_enabled elif auth_session.is_root and self._perm_name == 'SUPERUSER': # The special master superuser (root) automatically has the@@ -644,17 +646,19 @@ def initialise_defaults(scope, extra_params): handler._rem_perm_impl('*', False) -def require_permission(permission, extra_params, user):+def require_permission(permission, extra_params, user, is_auth_enabled): """ Returns whether or not the given user has the given permission. :param extra_params: The scope-specific argument dict, which already contains a valid database session.+ :param is_auth_enabled: Guest users are handled differently when+ authentication is disabled on the server. """ handler = handler_from_scope_params(permission, extra_params)- if handler.has_permission(user):+ if handler.has_permission(user, is_auth_enabled): return True # If the user for some reason does not have the permission directly@@ -663,7 +667,7 @@ def require_permission(permission, extra_params, user): while ancestors: handler = handler_from_scope_params(ancestors[0], extra_params) - if handler.has_permission(user):+ if handler.has_permission(user, is_auth_enabled): return True else: ancestors = ancestors[1:] + ancestors[0].inherited_from@@ -671,19 +675,21 @@ def require_permission(permission, extra_params, user): return False -def require_manager(permission, extra_params, user):+def require_manager(permission, extra_params, user, is_auth_enabled): """ Returns whether or not the given user has rights to manage the given permission. :param extra_params: The scope-specific argument dict, which already contains a valid database session.+ :param is_auth_enabled: Guest users are handled differently when+ authentication is disabled on the server. """ for manager in permission.managed_by: manager_handler = handler_from_scope_params(manager, extra_params)- if manager_handler.has_permission(user):+ if manager_handler.has_permission(user, is_auth_enabled): return True return Falseweb/server/codechecker_server/server.py
index fab6925..df8dba1 100644@@ -468,7 +468,8 @@ class RequestHandler(SimpleHTTPRequestHandler): task_handler = TaskHandler_v6( self.server.config_session, self.server.task_manager,- self.auth_session)+ self.auth_session,+ self.server.manager) processor = TaskAPI_v6.Processor(task_handler) elif request_endpoint == "CodeCheckerService": # This endpoint is a product's report_server.