Ash-Project Ash Incorrect Authorization Vulnerability in Bulk Actions

A vulnerability allowing incorrect authorization in bulk actions has been identified in Ash-Project Ash versions prior to 3.5.39. This issue arises because 'before_transaction' hooks in bulk actions can execute before authorization is properly checked, potentially allowing unauthorized users to trigger sensitive or resource-intensive operations.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of 'before_transaction' hooks in bulk actions, allowing malicious users to perform sensitive or expensive operations without proper authorization.

Reproduction

To reproduce this vulnerability, create a resource with a 'before_transaction' hook but no 'after_transaction' hook. Then, use a bulk action that triggers the 'before_transaction' hook without authorization. This can be done by calling the bulk action through the 'Ash.bulk_*' callback, which is used by AshJsonApi and AshGraphql for update and destroy actions.

Remediation

Users are advised to update to Ash version 3.5.39 or later. If an immediate update is not possible, add logic to 'before_transaction' hooks to prevent them from executing before authorization is confirmed.