Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-24 07:49:41 +02:00
Code Issues Releases Activity

fix(service): webhook vulnerability for passing an invalid image tag EE-2121 (#6269)

Browse source 
* fix(service): webhook vulnerability for passing an invalid image tag
This commit is contained in:
Hao Zhang 2022-01-27 08:38:29 +08:00 committed by GitHub
parent dfb0ba9efe
commit a9406764ee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 115 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
api/http/handler/webhooks/webhook_update.go
View file

@ -1,6 +1,7 @@
package webhooks
import (
"errors"
"net/http"
"github.com/portainer/portainer/api/http/security"
@ -53,6 +54,15 @@ func (handler *Handler) webhookUpdate(w http.ResponseWriter, r *http.Request) *h
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a webhooks with the specified identifier inside the database", err}
}
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve user info from request context", Err: err}
}
if !securityContext.IsAdmin {
return &httperror.HandlerError{StatusCode: http.StatusForbidden, Message: "Not authorized to update a webhook", Err: errors.New("not authorized to update a webhook")}
}
if payload.RegistryID != 0 {
tokenData, err := security.RetrieveTokenData(r)
if err != nil {