Explorar el Código

security: IDOR on ExecutionStatus API

jamesread hace 4 meses
padre
commit
24cced0c8c
Se han modificado 1 ficheros con 4 adiciones y 3 borrados
  1. 4 3
      service/internal/api/api.go

+ 4 - 3
service/internal/api/api.go

@@ -384,10 +384,11 @@ func (api *oliveTinAPI) ExecutionStatus(ctx ctx.Context, req *connect.Request[ap
 
 	if ile == nil {
 		return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("execution not found for tracking ID %s or action ID %s", req.Msg.ExecutionTrackingId, req.Msg.ActionId))
-	} else {
-		res.LogEntry = api.internalLogEntryToPb(ile, user)
 	}
-
+	if !isValidLogEntry(ile) || !api.isLogEntryAllowed(ile, user) {
+		return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("permission denied to view this execution"))
+	}
+	res.LogEntry = api.internalLogEntryToPb(ile, user)
 	return connect.NewResponse(res), nil
 }