Skip to content

Commit

Permalink
Merge pull request #4201 from Gepardgame/fix/unauthorized-access-to-p…
Browse files Browse the repository at this point in the history 
…rojects

Fix: Unauthorized access to projects over /vulnerability/{source}/vuln/{vuln}(/projects) when ACL is enabled
  • Loading branch information
@nscuro
nscuro authored Oct 1, 2024
2 parents 82d9c84 + 2020619 commit 56d9deb
Show file tree
Hide file tree
Showing 2 changed files with 209 additions and 16 deletions.
28 changes: 28 additions & 0 deletions src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
import org.dependencytrack.auth.Permissions;
import org.dependencytrack.model.AffectedVersionAttribution;
import org.dependencytrack.model.Component;
import org.dependencytrack.model.ConfigPropertyConstants;
import org.dependencytrack.model.Cwe;
import org.dependencytrack.model.Project;
import org.dependencytrack.model.Vulnerability;
Expand Down Expand Up @@ -65,6 +66,7 @@
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.math.BigDecimal;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;

Expand Down Expand Up @@ -219,6 +221,14 @@ public Response getVulnerabilityByVulnId(@PathParam("source") String source,
affectedComponents.add(affectedComponent);
}
vulnerability.setAffectedComponents(affectedComponents);
qm.makeTransient(vulnerability);
boolean shouldFilter = qm.isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED);
if (shouldFilter) {
Principal principal = super.getPrincipal();
vulnerability.setComponents(
vulnerability.getComponents().stream().filter(component -> qm.hasAccess(principal,
component.getProject())).toList());
}
return Response.ok(vulnerability).build();
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The vulnerability could not be found.").build();
Expand Down Expand Up @@ -256,6 +266,15 @@ public Response getAffectedProject(@PathParam("source") String source,
final long filteredCount = filteredProjects.size();
return Response.ok(filteredProjects).header(TOTAL_COUNT_HEADER, filteredCount).build();
}
qm.makeTransient(vulnerability);
boolean shouldFilter = qm.isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED);
if (shouldFilter) {
Principal principal = super.getPrincipal();
vulnerability.setComponents(
vulnerability.getComponents().stream().filter(component -> qm.hasAccess(principal,
component.getProject())).toList());
}

final List<AffectedProject> projects = qm.getAffectedProjects(vulnerability);
final long totalCount = projects.size();
return Response.ok(projects).header(TOTAL_COUNT_HEADER, totalCount).build();
Expand Down Expand Up @@ -285,6 +304,15 @@ public Response getAffectedProject(@PathParam("source") String source,
public Response getAllVulnerabilities() {
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final PaginatedResult result = qm.getVulnerabilities();
boolean shouldFilter = qm.isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED);
if (shouldFilter) {
Principal principal = super.getPrincipal();
for (final Vulnerability vulnerability : result.getList(Vulnerability.class)) {
vulnerability.setComponents(
vulnerability.getComponents().stream().filter(component -> qm.hasAccess(principal,
component.getProject())).toList());
}
}
return Response.ok(result.getObjects()).header(TOTAL_COUNT_HEADER, result.getTotal()).build();
}
}
Expand Down
Loading

0 comments on commit 56d9deb

Please sign in to comment.