Skip to content

nextflow security fixes#653

Merged
ankurjuneja merged 3 commits into
release26.3-SNAPSHOTfrom
26.3_fb_nextflow_security_fix
Jun 29, 2026
Merged

nextflow security fixes#653
ankurjuneja merged 3 commits into
release26.3-SNAPSHOTfrom
26.3_fb_nextflow_security_fix

Conversation

@ankurjuneja

@ankurjuneja ankurjuneja commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Rationale

Two security/robustness issues were found in NextFlowController:

  1. Function-level authorization gap (BeginAction.handlePost). BeginAction is gated only by ReadPermission, and the site-admin check (hasSiteAdminPermission()) lived solely in getView() — the UI only renders the enable/disable
    toggle for site admins. The POST handler that actually writes the per-folder enabled state had no privilege re-check, so any folder reader could POST directly to the action and toggle NextFlow integration for the folder.
    Because isEnabled() walks up the container tree, child containers inherit that state, widening the impact. The editing capability is intended for site admins only, so the invariant needed to be re-established on the write
    path.
  2. NullPointerException on the run path (NextFlowRunAction). NextFlowManager.getConfiguration() returns null when no NextFlow configuration has been saved. Both getView() and handlePost() immediately dereferenced the result
    (config.getNextFlowConfigFilePath()), producing a 500 error for an editor working in a container where NextFlow is enabled but not yet configured. Users should get a clear message instead of a server error.

Related Pull Requests

Changes

  • NextFlowController.BeginAction.handlePost

    • Added a hasSiteAdminPermission() check that throws UnauthorizedException before writing the enabled state, matching the gate already present in getView(). Enabling alone still does not grant run rights — NextFlowRunAction
      continues to require InsertPermission.
    • NextFlowRunAction.handlePost: wrapped the FileUtil.appendPath call (which already enforces directory containment / rejects .. traversal) in a try/catch so an invalid configFile yields a user-facing "Invalid config file"
      error instead of an unhandled 500.

  • NextFlowController.NextFlowRunAction

    • validateCommand: reject with "NextFlow has not been configured" when getConfiguration() is null (guards the POST path).
    • getView: added a config != null guard, falling through to the existing "Couldn't find NextFlow config file(s)" message.
    • handlePost: added a defensive null/empty-path check (it re-fetches the configuration independently), rejecting with a user-facing error instead of throwing.

vagisha
vagisha reviewed Jun 29, 2026
View reviewed changes
Comment thread nextflow/src/org/labkey/nextflow/NextFlowController.java
try
{
// appendPath normalizes and enforces that the resolved path stays within configDir, rejecting traversal
configFile = FileUtil.appendPath(configDir, Path.parse(form.getConfigFile()));

@vagisha vagisha Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Path.parse could throw a NPE if getConfigFile() returns null. Should we add a StringUtils.isBlank(form.getConfigFile()) guard before this try/catch?

@ankurjuneja ankurjuneja merged commit d3d8590 into release26.3-SNAPSHOT Jun 29, 2026
5 checks passed
@ankurjuneja ankurjuneja deleted the 26.3_fb_nextflow_security_fix branch June 29, 2026 22:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vagisha vagisha vagisha approved these changes
@labkey-jeckels labkey-jeckels labkey-jeckels approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ankurjuneja @vagisha @labkey-jeckels