Commit 878d51af authored by Afonso Castanheta's avatar Afonso Castanheta
Browse files

Refactor user validation logic to fix fail-open pattern vulnerability (API Events)

parent 28abd2dc
Loading
Loading
Loading
Loading
Loading
+12 −10
Original line number Diff line number Diff line
@@ -6,7 +6,7 @@ from ..encoder import CustomJSONEncoder
from ..models.problem_details import ProblemDetails
from ..util import serialize_clean_camel_case
from .resources import Resource
from .responses import internal_server_error
from .responses import internal_server_error, not_found_error, forbidden_error


class ControlAccess(Resource):
@@ -19,7 +19,9 @@ class ControlAccess(Resource):
            my_query = {'id':subscriber_id}
            cert_entry = cert_col.find_one(my_query)

            if cert_entry is not None:
            if cert_entry is None:
                return not_found_error(detail="Please provide an existing Subscriber ID", cause="Certificate not found for Invoker or APF or AEF or AMF")
            
            if (event_id is None and cert_entry["cert_signature"] != cert_signature):
                prob = ProblemDetails(title="Unauthorized", detail="User not authorized", cause="You are not the owner of this resource")
                prob = serialize_clean_camel_case(prob)
+4 −4
Original line number Diff line number Diff line
@@ -52,8 +52,8 @@ Creates a new individual CAPIF Event Subscription with Invalid SubscriberId
    Check Response Variable Type And Values    ${resp}    404    ProblemDetails
    ...    title=Not Found
    ...    status=404
    ...    detail=Invoker or APF or AEF or AMF Not found
    ...    cause=Subscriber Not Found
    ...    detail=Please provide an existing Subscriber ID
    ...    cause=Certificate not found for Invoker or APF or AEF or AMF

Deletes an individual CAPIF Event Subscription
    [Tags]    capif_api_events-3
@@ -107,8 +107,8 @@ Deletes an individual CAPIF Event Subscription with invalid SubscriberId
    Check Response Variable Type And Values    ${resp}    404    ProblemDetails
    ...    title=Not Found
    ...    status=404
    ...    detail=Invoker or APF or AEF or AMF Not found
    ...    cause=Subscriber Not Found
    ...    detail=Please provide an existing Subscriber ID
    ...    cause=Certificate not found for Invoker or APF or AEF or AMF

Deletes an individual CAPIF Event Subscription with invalid SubscriptionId
    [Tags]    capif_api_events-5