Skip to content

Commit 932d784

Browse files
withinboredomwithinboredom
committed
fix security issue
Signed-off-by: Robert Landers <landers.robert@gmail.com>
1 parent b6d0f5b commit 932d784

1 file changed

Lines changed: 39 additions & 1 deletion

File tree

cli/lib/api.go

Lines changed: 39 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -346,6 +346,7 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
346346
if err != nil {
347347
logger.Error("Failed to discover resource", zap.Error(err))
348348
http.Error(writer, "Not Found", http.StatusNotFound)
349+
return
349350
}
350351

351352
newUser := strings.TrimSpace(vars["userid"])
@@ -354,12 +355,14 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
354355
if err != nil {
355356
logger.Error("Failed to share ownership", zap.Error(err))
356357
http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
358+
return
357359
}
358360

359361
err = r.Update(ctx, logger)
360362
if err != nil {
361363
logger.Error("Failed to update resource", zap.Error(err))
362364
http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
365+
return
363366
}
364367

365368
logger.Info("Shared ownership", zap.String("id", id.String()), zap.String("newUser", newUser))
@@ -384,6 +387,11 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
384387
}
385388
stateId := id.ToStateId()
386389

390+
ctx, done := authorize(writer, request, config, ctx, rm, stateId, logger, true, auth.SharePlus)
391+
if done {
392+
return
393+
}
394+
387395
operation := auth.Owner
388396
switch strings.ToLower(vars["operation"]) {
389397
case "signal":
@@ -411,6 +419,7 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
411419
if err != nil {
412420
logger.Error("Failed to discover resource", zap.Error(err))
413421
http.Error(writer, "", http.StatusNotFound)
422+
return
414423
}
415424

416425
switch vars["type"] {
@@ -422,12 +431,14 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
422431
if err != nil {
423432
logger.Error("Failed to grant resource", zap.Error(err))
424433
http.Error(writer, "", http.StatusForbidden)
434+
return
425435
}
426436

427437
err = r.Update(ctx, logger)
428438
if err != nil {
429439
logger.Error("Failed to update resource", zap.Error(err))
430440
http.Error(writer, "", http.StatusInternalServerError)
441+
return
431442
}
432443

433444
http.Error(writer, "", http.StatusOK)
@@ -451,10 +462,16 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
451462
}
452463
stateId := id.ToStateId()
453464

465+
ctx, done := authorize(writer, request, config, ctx, rm, stateId, logger, true, auth.ShareMinus)
466+
if done {
467+
return
468+
}
469+
454470
r, err := rm.DiscoverResource(ctx, stateId, logger, true)
455471
if err != nil {
456472
logger.Error("Failed to discover resource", zap.Error(err))
457473
http.Error(writer, "", http.StatusNotFound)
474+
return
458475
}
459476

460477
switch vars["type"] {
@@ -466,12 +483,14 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
466483
if err != nil {
467484
logger.Error("Failed to revoke resource", zap.Error(err))
468485
http.Error(writer, "", http.StatusForbidden)
486+
return
469487
}
470488

471489
err = r.Update(ctx, logger)
472490
if err != nil {
473491
logger.Error("Failed to update resource", zap.Error(err))
474492
http.Error(writer, "", http.StatusInternalServerError)
493+
return
475494
}
476495

477496
http.Error(writer, "", http.StatusOK)
@@ -649,6 +668,7 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
649668
if err != nil {
650669
logger.Error("Failed to discover resource", zap.Error(err))
651670
http.Error(writer, "Not Found", http.StatusNotFound)
671+
return
652672
}
653673

654674
newUser := strings.TrimSpace(vars["userid"])
@@ -657,12 +677,14 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
657677
if err != nil {
658678
logger.Error("Failed to share ownership", zap.Error(err))
659679
http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
680+
return
660681
}
661682

662683
err = r.Update(ctx, logger)
663684
if err != nil {
664685
logger.Error("Failed to update resource", zap.Error(err))
665686
http.Error(writer, "Internal Server Error", http.StatusInternalServerError)
687+
return
666688
}
667689

668690
logger.Info("Shared ownership", zap.String("id", id.String()), zap.String("newUser", newUser))
@@ -687,6 +709,11 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
687709
}
688710
stateId := id.ToStateId()
689711

712+
ctx, done := authorize(writer, request, config, ctx, rm, stateId, logger, true, auth.SharePlus)
713+
if done {
714+
return
715+
}
716+
690717
operation := auth.Owner
691718
switch strings.ToLower(vars["operation"]) {
692719
case "signal":
@@ -714,6 +741,7 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
714741
if err != nil {
715742
logger.Error("Failed to discover resource", zap.Error(err))
716743
http.Error(writer, "", http.StatusNotFound)
744+
return
717745
}
718746

719747
switch vars["type"] {
@@ -725,19 +753,21 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
725753
if err != nil {
726754
logger.Error("Failed to grant resource", zap.Error(err))
727755
http.Error(writer, "", http.StatusForbidden)
756+
return
728757
}
729758

730759
err = r.Update(ctx, logger)
731760
if err != nil {
732761
logger.Error("Failed to update resource", zap.Error(err))
733762
http.Error(writer, "", http.StatusInternalServerError)
763+
return
734764
}
735765

736766
http.Error(writer, "", http.StatusOK)
737767
})
738768

739769
// DELETE /orchestration/{name}/{id}/grant/{type}/{user}
740-
r.HandleFunc("/entity/{name}/{id}/grant/{type}/{user}", func(writer http.ResponseWriter, request *http.Request) {
770+
r.HandleFunc("/orchestration/{name}/{id}/grant/{type}/{user}", func(writer http.ResponseWriter, request *http.Request) {
741771
if stop := handleCors(writer, request); stop {
742772
return
743773
}
@@ -754,10 +784,16 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
754784
}
755785
stateId := id.ToStateId()
756786

787+
ctx, done := authorize(writer, request, config, ctx, rm, stateId, logger, true, auth.ShareMinus)
788+
if done {
789+
return
790+
}
791+
757792
r, err := rm.DiscoverResource(ctx, stateId, logger, true)
758793
if err != nil {
759794
logger.Error("Failed to discover resource", zap.Error(err))
760795
http.Error(writer, "", http.StatusNotFound)
796+
return
761797
}
762798

763799
switch vars["type"] {
@@ -769,12 +805,14 @@ func Startup(ctx context.Context, js jetstream.JetStream, logger *zap.Logger, po
769805
if err != nil {
770806
logger.Error("Failed to revoke resource", zap.Error(err))
771807
http.Error(writer, "", http.StatusForbidden)
808+
return
772809
}
773810

774811
err = r.Update(ctx, logger)
775812
if err != nil {
776813
logger.Error("Failed to update resource", zap.Error(err))
777814
http.Error(writer, "", http.StatusInternalServerError)
815+
return
778816
}
779817

780818
http.Error(writer, "", http.StatusOK)

0 commit comments

Comments
 (0)