winterhazel commented on code in PR #13149:
URL: https://github.com/apache/cloudstack/pull/13149#discussion_r3554780874
##########
server/src/main/java/com/cloud/user/AccountManagerImpl.java:
##########
@@ -3202,7 +3202,7 @@ public Pair<Boolean, Map<String, String>>
getKeys(GetUserKeysCmd cmd) {
ApiKeyPair keyPair;
if (accessingApiKey != null) {
ApiKeyPair accessingKeyPair =
apiKeyPairService.findByApiKey(accessingApiKey);
- if (userId == accessingKeyPair.getUserId()) {
+ if (accessingKeyPair != null && userId ==
accessingKeyPair.getUserId()) {
Review Comment:
```suggestion
if (accessingKeyPair == null) {
throw new CloudRuntimeException(String.format("Unable to
find pair of API key [%s].", accessingApiKey));
}
if (userId == accessingKeyPair.getUserId()) {
```
@sureshanaparti it makes more sense to throw an exception here. Although
unlikely, the way this `if` is structured right now can result in the key of
user A of account X leaking when the caller is using a key to access user B of
account X if `accessingKeyPair` is null.
##########
server/src/main/java/com/cloud/user/AccountManagerImpl.java:
##########
@@ -3582,6 +3586,10 @@ public List<RolePermissionEntity>
getAllKeypairPermissions(String apiKey) {
throw new InvalidParameterValueException("API key not present in
the request's URL and, thus, unable to fetch API key rules.");
}
ApiKeyPair apiKeyPair = keyPairManager.findByApiKey(apiKey);
+ if (apiKeyPair == null) {
+ logger.warn("Unable to find API key pair by API key.");
Review Comment:
@sureshanaparti I would throw a `CloudRuntimeException` here as well. Even
though this does not represent a security concern, returning an empty list here
will allow the API call to finish "successfully", hiding an issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]