Scope laboratory assay protocol lookups to the request container

labkey-martyp · labkey-martyp · commit 8907cfecdf5f · 2026-06-18T15:53:50.000-06:00
GetImportMethodsAction and four sibling actions in LaboratoryController looked up assay protocols by row id via ExperimentService.getExpProtocol(int), an unscoped global primary-key lookup. Because the actions are guarded only by container-level permissions, a user with read access to any single folder could pass an arbitrary row id and have the server use — and, in GetImportMethodsAction, echo back the name, container, and container path of — a protocol defined in a folder they cannot read, enabling cross-container enumeration of assay designs and folder paths.

Each lookup now verifies the protocol is in scope for the request container via AssayService.getAssayProtocols(getContainer()) before use, returning the same generic not-found message whether the row id is unknown or simply out of scope so the response is not an existence oracle. Legitimate same-container callers are unaffected.
diff --git a/laboratory/src/org/labkey/laboratory/LaboratoryController.java b/laboratory/src/org/labkey/laboratory/LaboratoryController.java
@@ -646,8 +646,11 @@ public String getResponse(ProcessAssayForm form, Map<String, Pair<File, String>>
                         throw new UploadException("No Assay Id Provided", HttpServletResponse.SC_BAD_REQUEST);
                     }
 
+                    // getExpProtocol() is a global row-id lookup with no container scoping, so confirm the protocol is in
+                    // scope for this container before using it; otherwise the same generic message is returned whether the
+                    // row id is unknown or simply belongs to a container the user cannot read.
                     ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getLabkeyAssayId());
-                    if (protocol == null)
+                    if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
                     {
                         throw new UploadException("Unable to find assay protocol with Id: " + form.getLabkeyAssayId(), HttpServletResponse.SC_BAD_REQUEST);
                     }
@@ -935,8 +938,11 @@ public ApiResponse execute(SaveTemplateForm form, BindException errors) throws E
             {
                 JSONObject json = new JSONObject(form.getJson());
 
+                // getExpProtocol() is a global row-id lookup with no container scoping, so confirm the protocol is in
+                // scope for this container before saving a template against it. The same generic message is returned
+                // whether the row id is unknown or belongs to a container the user cannot read.
                 ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getProtocolId());
-                if (protocol == null)
+                if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
                 {
                     errors.reject(ERROR_MSG, "Unknown assay: " + form.getProtocolId());
                     return null;
@@ -1062,8 +1068,11 @@ public void export(ProcessAssayForm form, HttpServletResponse response, BindExce
                     return;
                 }
 
+                // getExpProtocol() is a global row-id lookup with no container scoping, so confirm the protocol is in
+                // scope for this container before generating a template against it. The same generic message is returned
+                // whether the row id is unknown or belongs to a container the user cannot read.
                 ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getLabkeyAssayId());
-                if (protocol == null)
+                if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
                 {
                     throw new AbstractFileUploadAction.UploadException("Unable to find assay protocol with Id: " + form.getLabkeyAssayId(), HttpServletResponse.SC_BAD_REQUEST);
                 }
@@ -1513,8 +1522,11 @@ public ApiResponse execute(AssayImportHeadersForm form, BindException errors)
                 return new ApiSimpleResponse(results);
             }
 
+            // getExpProtocol() is a global row-id lookup with no container scoping, so confirm the protocol is in scope
+            // for this container before returning its import columns. The same generic message is returned whether the
+            // row id is unknown or belongs to a container the user cannot read.
             ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getProtocol());
-            if (protocol == null)
+            if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
             {
                 errors.reject(ERROR_MSG, "Protocol not found: " + form.getProtocol());
                 return new ApiSimpleResponse(results);
@@ -1877,8 +1889,19 @@ public ApiResponse execute(ImportMethodsForm form, BindException errors)
             List<ExpProtocol> protocols = new ArrayList<>();
             if (form.getAssayId() != null)
             {
-                protocols.add(ExperimentService.get().getExpProtocol(form.getAssayId()));
-                ap = AssayService.get().getProvider(protocols.get(0));
+                ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getAssayId());
+                // getExpProtocol() is a global row-id lookup with no container scoping. Verify the requested protocol is
+                // actually in scope for this container before using or echoing its metadata, otherwise a user with read
+                // access to any one folder could enumerate arbitrary row ids and harvest assay names and container paths
+                // from folders they cannot read. Use the same generic message whether or not the row id exists so the
+                // response is not an existence oracle for protocols in other containers.
+                if (protocol == null || !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))
+                {
+                    errors.reject(ERROR_MSG, "Unknown assay: " + form.getAssayId());
+                    return null;
+                }
+                protocols.add(protocol);
+                ap = AssayService.get().getProvider(protocol);
             }
             else if (form.getAssayType() != null)
             {

Original file line number	Diff line number	Diff line change
`@@ -646,8 +646,11 @@ public String getResponse(ProcessAssayForm form, Map<String, Pair<File, String>>`
`646`	`646`	`throw new UploadException("No Assay Id Provided", HttpServletResponse.SC_BAD_REQUEST);`
`647`	`647`	`}`
`648`	`648`
	`649`	`+ // getExpProtocol() is a global row-id lookup with no container scoping, so confirm the protocol is in`
	`650`	`+ // scope for this container before using it; otherwise the same generic message is returned whether the`
	`651`	`+ // row id is unknown or simply belongs to a container the user cannot read.`
`649`	`652`	`ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getLabkeyAssayId());`
`650`		`- if (protocol == null)`
	`653`	`+ if (protocol == null \|\| !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))`
`651`	`654`	`{`
`652`	`655`	`throw new UploadException("Unable to find assay protocol with Id: " + form.getLabkeyAssayId(), HttpServletResponse.SC_BAD_REQUEST);`
`653`	`656`	`}`
`@@ -935,8 +938,11 @@ public ApiResponse execute(SaveTemplateForm form, BindException errors) throws E`
`935`	`938`	`{`
`936`	`939`	`JSONObject json = new JSONObject(form.getJson());`
`937`	`940`
	`941`	`+ // getExpProtocol() is a global row-id lookup with no container scoping, so confirm the protocol is in`
	`942`	`+ // scope for this container before saving a template against it. The same generic message is returned`
	`943`	`+ // whether the row id is unknown or belongs to a container the user cannot read.`
`938`	`944`	`ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getProtocolId());`
`939`		`- if (protocol == null)`
	`945`	`+ if (protocol == null \|\| !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))`
`940`	`946`	`{`
`941`	`947`	`errors.reject(ERROR_MSG, "Unknown assay: " + form.getProtocolId());`
`942`	`948`	`return null;`
`@@ -1062,8 +1068,11 @@ public void export(ProcessAssayForm form, HttpServletResponse response, BindExce`
`1062`	`1068`	`return;`
`1063`	`1069`	`}`
`1064`	`1070`
	`1071`	`+ // getExpProtocol() is a global row-id lookup with no container scoping, so confirm the protocol is in`
	`1072`	`+ // scope for this container before generating a template against it. The same generic message is returned`
	`1073`	`+ // whether the row id is unknown or belongs to a container the user cannot read.`
`1065`	`1074`	`ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getLabkeyAssayId());`
`1066`		`- if (protocol == null)`
	`1075`	`+ if (protocol == null \|\| !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))`
`1067`	`1076`	`{`
`1068`	`1077`	`throw new AbstractFileUploadAction.UploadException("Unable to find assay protocol with Id: " + form.getLabkeyAssayId(), HttpServletResponse.SC_BAD_REQUEST);`
`1069`	`1078`	`}`
`@@ -1513,8 +1522,11 @@ public ApiResponse execute(AssayImportHeadersForm form, BindException errors)`
`1513`	`1522`	`return new ApiSimpleResponse(results);`
`1514`	`1523`	`}`
`1515`	`1524`
	`1525`	`+ // getExpProtocol() is a global row-id lookup with no container scoping, so confirm the protocol is in scope`
	`1526`	`+ // for this container before returning its import columns. The same generic message is returned whether the`
	`1527`	`+ // row id is unknown or belongs to a container the user cannot read.`
`1516`	`1528`	`ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getProtocol());`
`1517`		`- if (protocol == null)`
	`1529`	`+ if (protocol == null \|\| !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))`
`1518`	`1530`	`{`
`1519`	`1531`	`errors.reject(ERROR_MSG, "Protocol not found: " + form.getProtocol());`
`1520`	`1532`	`return new ApiSimpleResponse(results);`
`@@ -1877,8 +1889,19 @@ public ApiResponse execute(ImportMethodsForm form, BindException errors)`
`1877`	`1889`	`List<ExpProtocol> protocols = new ArrayList<>();`
`1878`	`1890`	`if (form.getAssayId() != null)`
`1879`	`1891`	`{`
`1880`		`- protocols.add(ExperimentService.get().getExpProtocol(form.getAssayId()));`
`1881`		`- ap = AssayService.get().getProvider(protocols.get(0));`
	`1892`	`+ ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getAssayId());`
	`1893`	`+ // getExpProtocol() is a global row-id lookup with no container scoping. Verify the requested protocol is`
	`1894`	`+ // actually in scope for this container before using or echoing its metadata, otherwise a user with read`
	`1895`	`+ // access to any one folder could enumerate arbitrary row ids and harvest assay names and container paths`
	`1896`	`+ // from folders they cannot read. Use the same generic message whether or not the row id exists so the`
	`1897`	`+ // response is not an existence oracle for protocols in other containers.`
	`1898`	`+ if (protocol == null \|\| !AssayService.get().getAssayProtocols(getContainer()).contains(protocol))`
	`1899`	`+ {`
	`1900`	`+ errors.reject(ERROR_MSG, "Unknown assay: " + form.getAssayId());`
	`1901`	`+ return null;`
	`1902`	`+ }`
	`1903`	`+ protocols.add(protocol);`
	`1904`	`+ ap = AssayService.get().getProvider(protocol);`
`1882`	`1905`	`}`
`1883`	`1906`	`else if (form.getAssayType() != null)`
`1884`	`1907`	`{`