Bläddra i källkod

security: IDOR on ExecutionStatus API

jamesread 4 månader sedan
förälder
incheckning
24cced0c8c
1 ändrade filer med 4 tillägg och 3 borttagningar
  1. 4 3
      service/internal/api/api.go

+ 4 - 3
service/internal/api/api.go

@@ -384,10 +384,11 @@ func (api *oliveTinAPI) ExecutionStatus(ctx ctx.Context, req *connect.Request[ap
 
 	if ile == nil {
 		return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("execution not found for tracking ID %s or action ID %s", req.Msg.ExecutionTrackingId, req.Msg.ActionId))
-	} else {
-		res.LogEntry = api.internalLogEntryToPb(ile, user)
 	}
-
+	if !isValidLogEntry(ile) || !api.isLogEntryAllowed(ile, user) {
+		return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("permission denied to view this execution"))
+	}
+	res.LogEntry = api.internalLogEntryToPb(ile, user)
 	return connect.NewResponse(res), nil
 }