Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-24 07:49:41 +02:00
Code Issues Releases Activity

fix(service): webhook vulnerability for passing an invalid image tag EE-2121 (#6269)

Browse source 
* fix(service): webhook vulnerability for passing an invalid image tag
This commit is contained in:
Hao Zhang 2022-01-27 08:38:29 +08:00 committed by GitHub
parent dfb0ba9efe
commit a9406764ee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 115 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
api/http/handler/webhooks/webhook_delete.go
View file

@ -1,6 +1,8 @@
package webhooks
import (
"errors"
"github.com/portainer/portainer/api/http/security"
"net/http"
httperror "github.com/portainer/libhttp/error"
@ -25,6 +27,15 @@ func (handler *Handler) webhookDelete(w http.ResponseWriter, r *http.Request) *h
return &httperror.HandlerError{http.StatusBadRequest, "Invalid webhook id", err}
}
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve user info from request context", Err: err}
}
if !securityContext.IsAdmin {
return &httperror.HandlerError{StatusCode: http.StatusForbidden, Message: "Not authorized to delete a webhook", Err: errors.New("not authorized to delete a webhook")}
}
err = handler.DataStore.Webhook().DeleteWebhook(portainer.WebhookID(id))
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the webhook from the database", err}