From eef2b9145eb0aa640761a8ab8b4bd62cd29b61c6 Mon Sep 17 00:00:00 2001 From: Steven Guiheux Date: Mon, 12 Sep 2022 11:03:14 +0200 Subject: [PATCH] fix(api): action name can contain space --- engine/api/action.go | 67 ++++++++++++++++--- .../api/router_middleware_auth_permission.go | 15 ++++- 2 files changed, 71 insertions(+), 11 deletions(-) diff --git a/engine/api/action.go b/engine/api/action.go index b0f6301754..1d09459261 100644 --- a/engine/api/action.go +++ b/engine/api/action.go @@ -4,6 +4,7 @@ import ( "context" "io" "net/http" + "net/url" "github.com/go-gorp/gorp" "github.com/gorilla/mux" @@ -186,7 +187,12 @@ func (api *API) getActionHandler() service.Handler { vars := mux.Vars(r) groupName := vars["permGroupName"] - actionName := vars["permActionName"] + actionNameEscaped := vars["permActionName"] + + actionName, err := url.PathUnescape(actionNameEscaped) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } g, err := group.LoadByName(ctx, api.mustDB(), groupName, group.LoadOptions.WithMembers) if err != nil { @@ -221,7 +227,13 @@ func (api *API) putActionHandler() service.Handler { vars := mux.Vars(r) groupName := vars["permGroupName"] - actionName := vars["permActionName"] + + actionNameEscaped := vars["permActionName"] + + actionName, err := url.PathUnescape(actionNameEscaped) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } g, err := group.LoadByName(ctx, api.mustDB(), groupName) if err != nil { @@ -318,7 +330,13 @@ func (api *API) deleteActionHandler() service.Handler { vars := mux.Vars(r) groupName := vars["permGroupName"] - actionName := vars["permActionName"] + + actionNameEscaped := vars["permActionName"] + + actionName, err := url.PathUnescape(actionNameEscaped) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } g, err := group.LoadByName(ctx, api.mustDB(), groupName) if err != nil { @@ -364,7 +382,13 @@ func (api *API) getActionAuditHandler() service.Handler { vars := mux.Vars(r) groupName := vars["permGroupName"] - actionName := vars["permActionName"] + + actionNameEscaped := vars["permActionName"] + + actionName, err := url.PathUnescape(actionNameEscaped) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } g, err := group.LoadByName(ctx, api.mustDB(), groupName) if err != nil { @@ -440,7 +464,12 @@ func (api *API) postActionAuditRollbackHandler() service.Handler { vars := mux.Vars(r) groupName := vars["permGroupName"] - actionName := vars["permActionName"] + actionNameEscaped := vars["permActionName"] + + actionName, err := url.PathUnescape(actionNameEscaped) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } auditID, err := requestVarInt(r, "auditID") if err != nil { @@ -575,7 +604,12 @@ func (api *API) getActionUsageHandler() service.Handler { vars := mux.Vars(r) groupName := vars["permGroupName"] - actionName := vars["permActionName"] + actionNameEscaped := vars["permActionName"] + + actionName, err := url.PathUnescape(actionNameEscaped) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } g, err := group.LoadByName(ctx, api.mustDB(), groupName) if err != nil { @@ -604,7 +638,12 @@ func (api *API) getActionExportHandler() service.Handler { vars := mux.Vars(r) groupName := vars["permGroupName"] - actionName := vars["permActionName"] + actionNameEscaped := vars["permActionName"] + + actionName, err := url.PathUnescape(actionNameEscaped) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } format := FormString(r, "format") if format == "" { @@ -800,7 +839,12 @@ func (api *API) getActionBuiltinHandler() service.Handler { return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error { vars := mux.Vars(r) - actionName := vars["permActionBuiltinName"] + actionNameEscaped := vars["permActionBuiltinName"] + + actionName, err := url.PathUnescape(actionNameEscaped) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } a, err := action.LoadByTypesAndName(ctx, api.mustDB(), []string{sdk.BuiltinAction, sdk.PluginAction}, actionName, action.LoadOptions.WithRequirements, @@ -822,7 +866,12 @@ func (api *API) getActionBuiltinUsageHandler() service.Handler { return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error { vars := mux.Vars(r) - actionName := vars["permActionBuiltinName"] + actionNameEscaped := vars["permActionBuiltinName"] + + actionName, err := url.PathUnescape(actionNameEscaped) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } a, err := action.LoadByTypesAndName(ctx, api.mustDB(), []string{sdk.BuiltinAction, sdk.PluginAction}, actionName, action.LoadOptions.WithRequirements, diff --git a/engine/api/router_middleware_auth_permission.go b/engine/api/router_middleware_auth_permission.go index 5ea5c1fbd2..04def9b964 100644 --- a/engine/api/router_middleware_auth_permission.go +++ b/engine/api/router_middleware_auth_permission.go @@ -3,6 +3,7 @@ package api import ( "context" "net/http" + "net/url" "strconv" "github.com/rockbears/log" @@ -406,7 +407,12 @@ func (api *API) checkActionPermissions(ctx context.Context, w http.ResponseWrite return err } - a, err := action.LoadTypeDefaultByNameAndGroupID(ctx, api.mustDB(), actionName, g.ID) + name, err := url.PathUnescape(actionName) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } + + a, err := action.LoadTypeDefaultByNameAndGroupID(ctx, api.mustDB(), name, g.ID) if err != nil { return err } @@ -422,7 +428,12 @@ func (api *API) checkActionBuiltinPermissions(ctx context.Context, w http.Respon return sdk.WrapError(sdk.ErrWrongRequest, "invalid given action name") } - a, err := action.LoadByTypesAndName(ctx, api.mustDB(), []string{sdk.BuiltinAction, sdk.PluginAction}, actionName) + name, err := url.PathUnescape(actionName) + if err != nil { + return sdk.NewErrorFrom(sdk.ErrWrongRequest, "%s", err) + } + + a, err := action.LoadByTypesAndName(ctx, api.mustDB(), []string{sdk.BuiltinAction, sdk.PluginAction}, name) if err != nil { return err }