Security: Fail-Open Authorization — Students Can Export/Modify All Grades (bulkExport, bulkGrade_complete, regradeBatch)

[lighthousekeeper1212]

Summary

A security audit identified 8 vulnerabilities in Autolab, with the most critical being a fail-open authorization design that allows enrolled students to export all grades and write arbitrary grade modifications.

Root Cause: Fail-Open Authorization Framework

In app/controllers/application_controller.rb lines 110-122, when an action has NO action_auth_level declaration, authenticate_for_action silently allows access:

def authenticate_for_action
  controller_whitelist = @@global_whitelist[params[:controller].to_sym]
  return if controller_whitelist.nil?
  level = controller_whitelist[params[:action].to_sym]
  return if level.nil?  # Missing auth level = NO CHECK
  ...
end

Any action missing its action_auth_level declaration has zero role-based authorization.

Critical Findings

1. bulkExport Missing Auth — Students Export All Grades (CRITICAL - CWE-862)

File: app/controllers/assessment/grading.rb lines 6-14

bulkExport exports all student scores as CSV. It has NO action_auth_level declaration while sibling bulkGrade requires :course_assistant (1-of-N inconsistency). Any enrolled student can GET /courses/:name/assessments/:name/bulkExport to download every student's grades.

2. regradeBatch Missing Auth — Student Batch Regrading (CRITICAL - CWE-862)

File: app/controllers/assessment/autograde.rb line 88

The action_auth_level :regradeBatch, :instructor declaration is commented out. Any student can trigger batch regrading, causing DoS on the Tango autograding server.

3. bulkGrade_complete Missing Auth — Students Write Grades (HIGH - CWE-862)

File: app/controllers/assessment/grading.rb lines 50-75

The save step of bulk grading has no auth while the upload step requires :course_assistant. A student can POST directly to save grade modifications for any student.

4. permit! Mass Assignment in Assessment Edit (HIGH - CWE-915)

File: app/controllers/assessments_controller.rb line 1120

edit_assessment_params calls ass.permit! which permits ALL parameters including course_id (cross-course manipulation).

5. ScoresController Cross-Submission Score Creation (HIGH - CWE-639)

File: app/controllers/scores_controller.rb lines 47-49

create_params permits :submission_id, allowing course assistants to create scores on submissions in other courses.

6. ScoresController Grader Identity Spoofing (MEDIUM - CWE-639)

update_params permits :grader_id, allowing attribution spoofing.

7. Announcement System Flag Escalation (MEDIUM - CWE-285)

announcement_params permits :system, allowing course instructors to create system-wide announcements visible to all users.

8. report_bug Missing Auth Level (LOW - CWE-862)

No action_auth_level declaration on bug report action.

Recommended Fixes

1. Change the framework to fail-closed: In authenticate_for_action, deny access when level.nil? instead of allowing it
2. Add action_auth_level :bulkExport, :course_assistant
3. Add action_auth_level :bulkGrade_complete, :course_assistant
4. Uncomment action_auth_level :regradeBatch, :instructor
5. Replace permit! with explicit parameter allowlist
6. Remove :submission_id from ScoresController create_params
7. Remove :grader_id from update_params
8. Remove :system from announcement_params

Given this is used at CMU with real students, the grade export/write vulnerabilities are particularly impactful.

Found during a security audit. Happy to discuss or provide more details.