fix(security): API import no longer replaces user accounts
Cluster-secret holder could POST a backup with their own admin key to /api/backup/import, replacing all users — privilege escalation from cluster-auth to admin. Also, Kuma imports produced zero users but ImportWipe unconditionally deleted the users table — locking out all accounts until restart reseeded UPTOP_ADMIN_KEY. - Server handlers strip data.Users (set nil) before calling ImportData - ImportData only wipes+replaces users when data.Users != nil - New ImportWipeUsers dialect method separates user wipe from data wipe - CLI restore (main.go) unchanged — full import still replaces users
This commit is contained in:
@@ -205,12 +205,15 @@ func (s *Server) handleImport(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, "Invalid JSON", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
// API import never modifies users — cluster-secret holder shouldn't be
|
||||
// able to replace admin accounts. CLI restore still does full import.
|
||||
data.Users = nil
|
||||
if err := s.store.ImportData(r.Context(), data); err != nil {
|
||||
slog.Error("import failed", "err", err)
|
||||
http.Error(w, "Import failed", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
_, _ = w.Write([]byte("Import Successful"))
|
||||
_, _ = w.Write([]byte("Import Successful (users excluded — manage via CLI or UPTOP_KEYS)"))
|
||||
}
|
||||
|
||||
func (s *Server) handleKumaImport(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
Reference in New Issue
Block a user