Merge pull request #532 from traPtitech/fix-putstate-bug

状態遷移の脆弱性修正
traPtitech · Feb 19, 2022 · ee8fc15 · ee8fc15
2 parents bca61b8 + 4bbb85b
commit ee8fc15
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/router/states.go b/router/states.go
@@ -113,6 +113,10 @@ func (s *Service) PutStates(c echo.Context) error {
 		}
 	}
 
+	if user != application.CreateUserTrapID && !admin {
+		return c.JSON(http.StatusUnauthorized, errsta)
+	}
+
 	state, err := s.Applications.UpdateStatesLog(applicationId, user.TrapId, sta.Reason, sta.ToState)
 	if err != nil {
 		return c.NoContent(http.StatusInternalServerError)

diff --git a/router/states_test.go b/router/states_test.go
@@ -65,7 +65,7 @@ func TestPutState(t *testing.T) {
 		panic(err)
 	}
 
-	userRepMock := NewUserRepositoryMock("UserId", "AdminUserId")
+	userRepMock := NewUserRepositoryMock("AdminUserId", "AdminUserId")
 
 	service := Service{
 		Administrators: adminRepMock,
@@ -458,7 +458,7 @@ func TestPutState(t *testing.T) {
 		asr.NoError(err)
 		asr.Equal(http.StatusBadRequest, rec.Code)
 	})
-	userRepMock = NewUserRepositoryMock("AnotherId", "AdminUserId")
+	userRepMock = NewUserRepositoryMock("AdminUserId", "AdminUserId")
 
 	service = Service{
 		Administrators: adminRepMock,
@@ -538,6 +538,46 @@ func TestPutState(t *testing.T) {
 		asr.NoError(err)
 		asr.Equal(http.StatusBadRequest, rec.Code)
 	})
+	userRepMock = NewUserRepositoryMock("AnotherId", "AdminUserId")
+
+	t.Run("shouldSuccess", func(t *testing.T) {
+		asr := assert.New(t)
+		e := echo.New()
+		ctx := context.TODO()
+		body := fmt.Sprintf(`
+		{
+			"to_state": %s,
+			"reason": "%s"
+		}
+		`, string(toStateAccepted), stateReason)
+		req := httptest.NewRequest(http.MethodPut, "/api/applications/"+id.String()+"/states", strings.NewReader(body))
+		req.Header.Set(echo.HeaderContentType, "application/json")
+		rec := httptest.NewRecorder()
+		c := e.NewContext(req, rec)
+		c.SetPath("/applications/:applicationId/states")
+		c.SetParamNames("applicationId")
+		c.SetParamValues(id.String())
+		userRepMock.SetNormalUser(c)
+
+		route, pathParam, err := router.FindRoute(req.Method, req.URL)
+		if err != nil {
+			panic(err)
+		}
+
+		requestValidationInput := &openapi3filter.RequestValidationInput{
+			Request:    req,
+			PathParams: pathParam,
+			Route:      route,
+		}
+
+		if err := openapi3filter.ValidateRequest(ctx, requestValidationInput); err != nil {
+			panic(err)
+		}
+
+		err = service.PutStates(c)
+		asr.NoError(err)
+		asr.Equal(http.StatusUnauthorized, rec.Code)
+	})
 }
 
 func TestPutRepaidStates(t *testing.T) {