From cfbc3a8142732fe1f7afbcb1223b60957491759a Mon Sep 17 00:00:00 2001 From: Philipp Kilian Date: Sun, 16 Jun 2024 21:30:39 +0200 Subject: [PATCH] api: update for review changes --- CHANGELOG.md | 8 +++++--- b3lb/rest/classes/api.py | 9 +++++---- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e9c609..dc776d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,11 @@ # ChangeLog -## 3.2.4 - 2024-06-15 +## 3.2.4 - 2024-06-16 Fixes: -- fix bug in getRecordings endpoint +- fix **security** bug in getRecordings endpoint + +This release fixes a security bug that allowed authenticated api requests to manage recordings of any tenants and their secrets. ## 3.2.3 - 2024-05-28 @@ -21,7 +23,7 @@ Fixes: Changes: - adjust to BBB 2.7.8 API changes - - forbid POST request for `join` endpoint () + - forbid POST request for `join` endpoint - adjustments for POST headers are already handled - meeting name check: - add check for meeting name length for faster response without sending a request to backend systems diff --git a/b3lb/rest/classes/api.py b/b3lb/rest/classes/api.py index a558f16..9400a18 100644 --- a/b3lb/rest/classes/api.py +++ b/b3lb/rest/classes/api.py @@ -346,10 +346,11 @@ def filter_recordings(self, meeting_id: str = "", recording_id: str = "") -> Que except ValueError: return Record.objects.none() # return empty QuerySet for BadRequest - if meeting_id and 2 <= len(self.meeting_id) <= cst.MEETING_ID_LENGTH: - query &= Q(record_set__meta_meeting_id=meeting_id) - elif meeting_id: - return Record.objects.none() # return empty QuerySet for BadRequest + if meeting_id: + if 2 <= len(meeting_id) <= cst.MEETING_ID_LENGTH: + query &= Q(record_set__meta_meeting_id=meeting_id) + else: + return Record.objects.none() # return empty QuerySet for BadRequest if self.state == "published": query &= Q(published=True)