Validate tenant name from path

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-09-06 13:32:24 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-09-06 13:32:24 +0200
commit: da257339567d62531dd4731f1e3e673b2ca59bc2 (patch)
tree: 441ec6e74b157a8558395e9936cce9ac6f3c435a
parent: 0548f6a7180b92083cf248abbfdacb3fe6606e6f (diff)
2 files changed, 11 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
index 0cbd6b61bf8..6a50f4c52b4 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
@@ -1028,6 +1028,8 @@ public class ApplicationApiHandler extends AuditLoggingRequestHandler {
         var awsRegion = request.getProperty("aws-region");
         var parameterName = request.getProperty("parameter-name");
         var applicationId = ApplicationId.fromFullString(request.getProperty("application-id"));
+        if (!applicationId.tenant().equals(TenantName.from(tenantName)))
+            return ErrorResponse.badRequest("Invalid application id");
         var zoneId = requireZone(ZoneId.from(request.getProperty("zone")));
         var deploymentId = new DeploymentId(applicationId, zoneId);
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java
index 674424fbdd9..3b90be40a32 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiCloudTest.java
@@ -323,6 +323,15 @@ public class ApplicationApiCloudTest extends ControllerContainerCloudTest {
                 request("/application/v4/tenant/scoober/secret-store/secret-foo/validate?aws-region=us-west-1&parameter-name=foo&application-id=scoober.albums.default&zone=prod.aws-us-east-1c", GET)
                         .roles(Set.of(Role.developer(tenantName)));
         tester.assertResponse(secretStoreRequest, "{\"target\":\"scoober.albums in prod.aws-us-east-1c\",\"result\":{\"settings\":{\"name\":\"foo\",\"role\":\"vespa-secretstore-access\",\"awsId\":\"892075328880\",\"externalId\":\"*****\",\"region\":\"us-east-1\"},\"status\":\"ok\"}}", 200);
+
+        secretStoreRequest =
+                request("/application/v4/tenant/scoober/secret-store/secret-foo/validate?aws-region=us-west-1&parameter-name=foo&application-id=scober.albums.default&zone=prod.aws-us-east-1c", GET)
+                        .roles(Set.of(Role.developer(tenantName)));
+        tester.assertResponse(secretStoreRequest, "{" +
+                "\"error-code\":\"BAD_REQUEST\"," +
+                "\"message\":\"Invalid application id\"" +
+                "}", 400);
+
     }
 
     @Test
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-09-06 13:32:24 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-09-06 13:32:24 +0200
commit	da257339567d62531dd4731f1e3e673b2ca59bc2 (patch)
tree	441ec6e74b157a8558395e9936cce9ac6f3c435a
parent	0548f6a7180b92083cf248abbfdacb3fe6606e6f (diff)