fix: prevent unauthorized access to other users' apps in /apps/by-owner endpoint#5396
Conversation
|
""" WalkthroughThe changes restrict the Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant AppController
participant UserInfoHolder
participant RoleService
participant AppService
User->>AppController: GET /apps/by-self?page=X&size=Y
AppController->>UserInfoHolder: Get logged-in user ID
AppController->>RoleService: Get roles for user
RoleService-->>AppController: Return app IDs
AppController->>AppService: Query apps by app IDs with pagination
AppService-->>AppController: Return apps
AppController-->>User: Return paginated app list
Assessment against linked issues
Assessment against linked issues: Out-of-scope changesNo out-of-scope changes found. Suggested labels
Poem
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (4)
✅ Files skipped from review due to trivial changes (2)
🚧 Files skipped from review as they are similar to previous changes (2)
⏰ Context from checks skipped due to timeout of 90000ms (1)
✨ Finishing Touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
For this interface, there is no corresponding test file in the project. |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java (1)
108-112: Consider API transparency for parameter override.The silent override of the owner parameter might be confusing for API consumers. While this approach maintains backward compatibility, consider documenting this behavior in the API documentation or adding a response header indicating when parameter override occurs.
Alternative approaches to consider:
- Return an HTTP 403 Forbidden when users try to access other users' apps
- Add a response header indicating parameter override
- Document the behavior clearly in API documentation
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
CHANGES.md(1 hunks)apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java(2 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (1)
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java (1)
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/entity/bo/UserInfo.java (1)
UserInfo(19-79)
🔇 Additional comments (2)
CHANGES.md (1)
15-15: LGTM! Proper documentation of security fix.The changelog entry correctly documents the security enhancement with appropriate categorization and PR reference.
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java (1)
31-31: LGTM! Appropriate import addition.The UserInfo import is correctly added to support the security enhancement.
| UserInfo loginUser = userInfoHolder.getUser(); | ||
| if(!Objects.equals(loginUser.getUserId(), owner)) { | ||
| // User can only search his own apps | ||
| owner = loginUser.getUserId(); | ||
| } |
There was a problem hiding this comment.
Critical: Add null safety check for user authentication.
The security logic is sound, but there's a potential NullPointerException if userInfoHolder.getUser() returns null when the user is not properly authenticated.
Apply this diff to add proper null safety:
public List<App> findAppsByOwner(@RequestParam("owner") String owner, Pageable page) {
UserInfo loginUser = userInfoHolder.getUser();
+ if (loginUser == null) {
+ throw new BadRequestException("User not authenticated");
+ }
if(!Objects.equals(loginUser.getUserId(), owner)) {
// User can only search his own apps
owner = loginUser.getUserId();
}Additionally, consider adding security audit logging when parameter override occurs:
if(!Objects.equals(loginUser.getUserId(), owner)) {
// User can only search his own apps
+ // Log security violation attempt for monitoring
owner = loginUser.getUserId();
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| UserInfo loginUser = userInfoHolder.getUser(); | |
| if(!Objects.equals(loginUser.getUserId(), owner)) { | |
| // User can only search his own apps | |
| owner = loginUser.getUserId(); | |
| } | |
| public List<App> findAppsByOwner(@RequestParam("owner") String owner, Pageable page) { | |
| UserInfo loginUser = userInfoHolder.getUser(); | |
| + if (loginUser == null) { | |
| + throw new BadRequestException("User not authenticated"); | |
| + } | |
| if (!Objects.equals(loginUser.getUserId(), owner)) { | |
| // User can only search his own apps | |
| + // Log security violation attempt for monitoring | |
| owner = loginUser.getUserId(); | |
| } | |
| // … rest of method … | |
| } |
🤖 Prompt for AI Agents
In
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java
around lines 108 to 112, add a null check for loginUser after calling
userInfoHolder.getUser() to prevent NullPointerException if the user is not
authenticated. Only proceed with comparing and overriding owner if loginUser is
not null. Also, add security audit logging to record when the owner parameter is
overridden due to authentication checks.
spaceluke
left a comment
There was a problem hiding this comment.
目前看这个接口只有一个地方使用,不过从语义上来讲,还是可以新增一个获取自己应用列表的接口(不需要传 userid)。
至于老接口,可以删除,不过不确定是否有外部应用依赖这个接口
我认为不应该直接改原本这个接口,应该新增一个比如 /by-self 这样的接口。
旧接口可以更改为需要superadmin权限,或直接删除。 @nobodyiam 哪种比较合适呢?
是的,从语义上来讲新增一个接口更为合适。旧接口可以更改为需要 superadmin 权限,或直接删除。 |
|
好的 我将重新完成此 pr |
4f46e7f to
859817e
Compare
- Restrict /apps/by-owner to super admin users only - Add new /apps/by-self endpoint for users to access their own apps - Update frontend to use self-service endpoint for better security
Remove orphaned find_app_by_owner function and resource definition that were no longer used after the /apps/by-owner endpoint removal.
34157aa to
3e71220
Compare
What's the purpose of this PR
Enhance system security to prevent users from unauthorized access to other users' application information while maintaining API backward compatibility.
This PR is fully replicate the permission design of the
favoritesinterface.Which issue(s) this PR fixes:
Fixes #5388
Brief changelog
Security Fix:
Follow this checklist to help us incorporate your contribution quickly and easily:
mvn clean testto make sure this pull request doesn't break anything.CHANGESlog.Summary by CodeRabbit
Bug Fixes
Documentation