When using filter authorization, two edge cases could cause the policy compiler/authorizer to generate a permissive filter:
Bypass policies whose condition can never pass at runtime were compiled as
OR(AND(condition, compiled_policies), NOT(condition)).
If the condition could never be true at runtime, the NOT(condition) branch evaluated truthy and the overall expression became permissive.
Runtime policy scenarios that reduce to “no checks are applicable” (an empty SAT scenario) were treated as an empty clause and dropped instead of being treated as false, which could again produce an overly broad (permissive) filter.
These bugs could allow reads to return records that should have been excluded by policy.
Projects that rely on filter-based authorization and define:
bypass ... do ... end blocks whose condition(s) are only resolvable at runtime and can never pass in a given request context, ormay unintentionally generate a permissive query filter, potentially returning unauthorized data.
Actions primarily affected: reads guarded by filter policies. Non-filter (e.g., hard forbid) policies are not impacted.
This patch corrects two behaviors:
Ash.Policy.Policy.compile_policy_expression/1 now treats bypass blocks as
AND(condition_expression, compiled_policies)
instead of OR(AND(...), NOT(condition_expression)). This removes the permissive NOT(condition) escape hatch when a bypass condition never passes.
Ash.Policy.Authorizer now treats empty SAT scenarios (scenario == %{}) as false, ensuring impossible scenarios do not collapse into a no-op and inadvertently widen the filter. The reducer also normalizes nil → false consistently when building auto_filter fragments.
Relevant changes are in:
lib/ash/policy/policy.ex (bypass compilation)
*...3.6.2Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:HVA:NSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N