Merge pull request from GHSA-5v95-v8c8-3rh6

This fixes a security vulnerability where, with a carefully crafted request or malicious proxy, a user with UserWrite permissions could create another user with higher privileges than their own due to insufficient checks on the allowed set of permissions.

pkg/rbac/rbac.go

@@ -64,6 +64,16 @@ func Can(given Permission, target Permission) bool {
 func CompileAndAuthorize(actorPermission Permission, toUpdate []Permission) (Permission, error) {
 	var permission Permission
 	for _, update := range toUpdate {
+		// Verify the provided permission is a known permission. This prevents a
+		// security vulnerability whereby a carefully crafted request is able to
+		// provide a value that correctly passes an the bitwise AND check and then
+		// modifies the target permission using OR to escalate privilege.
+		if _, ok := PermissionMap[update]; !ok {
+			if update != LegacyRealmAdmin && update != LegacyRealmUser {
+				return 0, fmt.Errorf("provided permission %v is unknown", update)
+			}
+		}
+
 		// Verify that the user making changes has the permissions they are trying
 		// to grant. It is not valid for someone to grant permissions larger than
 		// they currently have.

pkg/rbac/rbac_test.go

@@ -57,6 +57,30 @@ func TestRequiredPermissions(t *testing.T) {
 			t.Errorf("expected error")
 		}
 	})
+
+	t.Run("legacy_admin", func(t *testing.T) {
+		t.Parallel()
+
+		if _, err := CompileAndAuthorize(LegacyRealmAdmin, []Permission{LegacyRealmAdmin}); err != nil {
+			t.Error(err)
+		}
+	})
+
+	t.Run("legacy_user", func(t *testing.T) {
+		t.Parallel()
+
+		if _, err := CompileAndAuthorize(LegacyRealmAdmin, []Permission{LegacyRealmUser}); err != nil {
+			t.Error(err)
+		}
+	})
+
+	t.Run("escalate", func(t *testing.T) {
+		t.Parallel()
+
+		if _, err := CompileAndAuthorize(UserRead|UserWrite, []Permission{16383}); err == nil {
+			t.Errorf("expected error")
+		}
+	})
 }
 
 func TestImpliedBy(t *testing.T) {