From ff08b5a9b5606f02228d0b54b45d422704fed3cb Mon Sep 17 00:00:00 2001
From: HugoCasa <hugo@casademont.ch>
Date: Thu, 12 Sep 2024 14:40:22 +0200
Subject: [PATCH] fix: tighten inputs for granular kinds (#4379)

* fix(backend): acls perms

* nit
---
 backend/windmill-api/src/granular_acls.rs | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/backend/windmill-api/src/granular_acls.rs b/backend/windmill-api/src/granular_acls.rs
index f7c984d0e7bdf..fb6d2e26f56b8 100644
--- a/backend/windmill-api/src/granular_acls.rs
+++ b/backend/windmill-api/src/granular_acls.rs
@@ -23,6 +23,10 @@ use windmill_common::{
     utils::{not_found_if_none, StripPath},
 };
 
+const KINDS: [&str; 9] = [
+    "script", "group_", "resource", "schedule", "variable", "flow", "folder", "app", "raw_app",
+];
+
 pub fn workspaced_service() -> Router {
     Router::new()
         .route("/get/*path", get(get_granular_acls))
@@ -49,6 +53,11 @@ async fn add_granular_acl(
     let (kind, path) = path
         .split_once('/')
         .ok_or_else(|| Error::BadRequest("Invalid path or kind".to_string()))?;
+
+    if !KINDS.contains(&kind) {
+        return Err(Error::BadRequest("Invalid kind".to_string()));
+    }
+
     let mut tx = user_db.begin(&authed).await?;
 
     let identifier = if kind == "group_" || kind == "folder" {
@@ -69,9 +78,10 @@ async fn add_granular_acl(
     }
 
     let obj_o = sqlx::query_scalar::<_, serde_json::Value>(&format!(
-        "UPDATE {kind} SET extra_perms = jsonb_set(extra_perms, '{{\"{owner}\"}}', to_jsonb($1), \
-         true) WHERE {identifier} = $2 AND workspace_id = $3 RETURNING extra_perms"
+        "UPDATE {kind} SET extra_perms = jsonb_set(extra_perms, $1, to_jsonb($2), \
+         true) WHERE {identifier} = $3 AND workspace_id = $4 RETURNING extra_perms"
     ))
+    .bind(vec![owner])
     .bind(write.unwrap_or(false))
     .bind(path)
     .bind(&w_id)
@@ -158,6 +168,10 @@ async fn remove_granular_acl(
         .split_once('/')
         .ok_or_else(|| Error::BadRequest("Invalid path or kind".to_string()))?;
 
+    if !KINDS.contains(&kind) {
+        return Err(Error::BadRequest("Invalid kind".to_string()));
+    }
+
     if !authed.is_admin {
         if kind == "folder" {
             crate::folders::require_is_owner(&authed, path)?;
@@ -267,6 +281,10 @@ async fn get_granular_acls(
         .split_once('/')
         .ok_or_else(|| Error::BadRequest("Invalid path or kind".to_string()))?;
 
+    if !KINDS.contains(&kind) {
+        return Err(Error::BadRequest("Invalid kind".to_string()));
+    }
+
     let mut tx = user_db.begin(&authed).await?;
 
     let identifier = if kind == "group_" { "name" } else { "path" };