Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-23 07:19:41 +02:00
Code Issues Releases Activity

fix(service): webhook vulnerability for passing an invalid image tag EE-2121 (#6269)

Browse source 
* fix(service): webhook vulnerability for passing an invalid image tag
This commit is contained in:
Hao Zhang 2022-01-27 08:38:29 +08:00 committed by GitHub
parent dfb0ba9efe
commit a9406764ee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 115 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

9
api/http/handler/webhooks/webhook_create.go
View file

@ -64,6 +64,15 @@ func (handler *Handler) webhookCreate(w http.ResponseWriter, r *http.Request) *h
endpointID := portainer.EndpointID(payload.EndpointID)
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve user info from request context", Err: err}
}
if !securityContext.IsAdmin {
return &httperror.HandlerError{StatusCode: http.StatusForbidden, Message: "Not authorized to create a webhook", Err: errors.New("not authorized to create a webhook")}
}
if payload.RegistryID != 0 {
tokenData, err := security.RetrieveTokenData(r)
if err != nil {