SpiceDB Missing LookupResources Results Vulnerability Due to Union Permission Misconfiguration

A vulnerability exists in SpiceDB versions prior to 1.47.1, where certain permission schemas can lead to incomplete results in the LookupResources API. This issue arises when a permission is defined as a union that references the same relation on both sides, but one side points to a different permission. As a result, LookupResources may fail to return expected resources, while other permission-related APIs function correctly. The vulnerability is specifically problematic in scenarios involving multiple entrypoints across different definitions.

Impact

The vulnerability can cause LookupResources to miss expected resources, leading to incomplete permission results in applications that rely on this API.

Reproduction

To reproduce this vulnerability, create a schema with a permission defined as a union that references the same relation on both sides, with one side pointing to a different permission. For example, define a permission 'view' in a 'system' schema that unions 'viewer' with 'viewer->special_user'. Then, establish relationships that would normally grant access through the 'view' permission. When LookupResources is called to check this permission, the expected resources will not be returned, demonstrating the issue.

Remediation

Upgrade to SpiceDB version 1.47.1 or later, where this vulnerability has been fixed.