fix: tighten inputs for granular kinds (#4379)

* fix(backend): acls perms * nit
windmill-labs · Sep 12, 2024 · ff08b5a · ff08b5a
1 parent f222645
commit ff08b5a
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/backend/windmill-api/src/granular_acls.rs b/backend/windmill-api/src/granular_acls.rs
@@ -23,6 +23,10 @@ use windmill_common::{
     utils::{not_found_if_none, StripPath},
 };
 
+const KINDS: [&str; 9] = [
+    "script", "group_", "resource", "schedule", "variable", "flow", "folder", "app", "raw_app",
+];
+
 pub fn workspaced_service() -> Router {
     Router::new()
         .route("/get/*path", get(get_granular_acls))
@@ -49,6 +53,11 @@ async fn add_granular_acl(
     let (kind, path) = path
         .split_once('/')
         .ok_or_else(|| Error::BadRequest("Invalid path or kind".to_string()))?;
+
+    if !KINDS.contains(&kind) {
+        return Err(Error::BadRequest("Invalid kind".to_string()));
+    }
+
     let mut tx = user_db.begin(&authed).await?;
 
     let identifier = if kind == "group_" || kind == "folder" {
@@ -69,9 +78,10 @@ async fn add_granular_acl(
     }
 
     let obj_o = sqlx::query_scalar::<_, serde_json::Value>(&format!(
-        "UPDATE {kind} SET extra_perms = jsonb_set(extra_perms, '{{\"{owner}\"}}', to_jsonb($1), \
-         true) WHERE {identifier} = $2 AND workspace_id = $3 RETURNING extra_perms"
+        "UPDATE {kind} SET extra_perms = jsonb_set(extra_perms, $1, to_jsonb($2), \
+         true) WHERE {identifier} = $3 AND workspace_id = $4 RETURNING extra_perms"
     ))
+    .bind(vec![owner])
     .bind(write.unwrap_or(false))
     .bind(path)
     .bind(&w_id)
@@ -158,6 +168,10 @@ async fn remove_granular_acl(
         .split_once('/')
         .ok_or_else(|| Error::BadRequest("Invalid path or kind".to_string()))?;
 
+    if !KINDS.contains(&kind) {
+        return Err(Error::BadRequest("Invalid kind".to_string()));
+    }
+
     if !authed.is_admin {
         if kind == "folder" {
             crate::folders::require_is_owner(&authed, path)?;
@@ -267,6 +281,10 @@ async fn get_granular_acls(
         .split_once('/')
         .ok_or_else(|| Error::BadRequest("Invalid path or kind".to_string()))?;
 
+    if !KINDS.contains(&kind) {
+        return Err(Error::BadRequest("Invalid kind".to_string()));
+    }
+
     let mut tx = user_db.begin(&authed).await?;
 
     let identifier = if kind == "group_" { "name" } else { "path" };