Skip to content

fix: require auth and tenant scoping on GetUEPDUSessionInfo#210

Open
DBGR18 wants to merge 3 commits into
free5gc:mainfrom
DBGR18:fix/ue-pdu-session-info-missing-auth
Open

fix: require auth and tenant scoping on GetUEPDUSessionInfo#210
DBGR18 wants to merge 3 commits into
free5gc:mainfrom
DBGR18:fix/ue-pdu-session-info-missing-auth

Conversation

@DBGR18

@DBGR18 DBGR18 commented Jun 29, 2026

Copy link
Copy Markdown

fixing free5gc/free5gc#1074

Problem

GetUEPDUSessionInfo (GET /api/ue-pdu-session-info/:smContextRef) performed no authentication or authorization. It minted the WebConsole's own NF OAuth2 token and proxied the request to the internal SMF OAM interface, returning the response verbatim to the caller. It's a confused-deputy that lets a request without a valid token read a UE's PDU session info.
It also applied no tenant filtering, unlike the sibling GetRegisteredUEContext.

Fix

  • Authenticate the caller with GetTenantId() at the top of the handler,
    before the NF token is minted, so unauthorized requests are rejected with
    401 and never reach the SMF OAM proxy.
  • Tenant-scope the response for non-admins via a new
    sendResponseToClientFilterTenantSingle helper. The existing
    sendResponseToClientFilterTenant only filters slices and would pass the
    SMF's single-object response through unfiltered, leaving cross-tenant reads
    possible.

Copilot AI review requested due to automatic review settings July 1, 2026 07:21

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the GetUEPDUSessionInfo WebUI handler by enforcing caller authentication before minting an internal NF token, and by tenant-scoping the proxied SMF OAM response for non-admin users to prevent cross-tenant reads.

Changes:

  • Require a valid WebConsole JWT (via GetTenantId()) at the start of GetUEPDUSessionInfo, rejecting unauthorized callers before any SMF OAM proxying occurs.
  • Add sendResponseToClientFilterTenantSingle to tenant-filter single-object SMF responses for non-admin callers.
  • Route admin vs non-admin responses through unfiltered vs tenant-filtered forwarding.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread backend/WebUI/api_webui.go Outdated
Comment on lines +1892 to +1907
var jsonData map[string]interface{}
if err = json.NewDecoder(response.Body).Decode(&jsonData); err != nil {
logger.ProcLog.Errorf("sendResponseToClientFilterTenantSingle err: %+v", err)
c.JSON(http.StatusInternalServerError, gin.H{})
return
}

if supi, ok := jsonData["Supi"].(string); ok && tenantCheck(supi) {
c.JSON(response.StatusCode, jsonData)
return
}

c.JSON(http.StatusForbidden, gin.H{
"cause": "Subscriber does not belong to this tenant",
})
}
Comment thread backend/WebUI/api_webui.go Outdated
Comment on lines +1875 to +1879
filterTenantIdOnly := bson.M{"tenantId": tenantId}
amDataList, err := mongoapi.RestfulAPIGetMany(amDataColl, filterTenantIdOnly)
if err != nil {
logger.ProcLog.Errorf("sendResponseToClientFilterTenantSingle err: %+v", err)
c.JSON(http.StatusInternalServerError, gin.H{})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants