Skip to content

Commit

Permalink
Fix GHSA-wc7c-xq2f-qp4h
Browse files Browse the repository at this point in the history
  • Loading branch information
amvanbaren committed Jan 22, 2025
1 parent 7b22dd3 commit 217c623
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 4 deletions.
14 changes: 12 additions & 2 deletions server/src/main/java/org/eclipse/openvsx/UserAPI.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -241,10 +241,15 @@ public List<NamespaceJson> getOwnNamespaces() {
produces = MediaType.APPLICATION_JSON_VALUE
)
public ResponseEntity<ResultJson> updateNamespaceDetails(@RequestBody NamespaceDetailsJson details) {
var user = users.findLoggedInUser();
if (user == null) {
throw new ResponseStatusException(HttpStatus.FORBIDDEN);
}

try {
return ResponseEntity.ok()
.cacheControl(CacheControl.maxAge(10, TimeUnit.MINUTES).cachePublic())
.body(users.updateNamespaceDetails(details));
.body(users.updateNamespaceDetails(details, user));
} catch (NotFoundException exc) {
var json = NamespaceDetailsJson.error("Namespace not found: " + details.getName());
return new ResponseEntity<>(json, HttpStatus.NOT_FOUND);
Expand All @@ -262,10 +267,15 @@ public ResponseEntity<ResultJson> updateNamespaceDetailsLogo(
@PathVariable String namespace,
@RequestParam MultipartFile file
) {
var user = users.findLoggedInUser();
if (user == null) {
throw new ResponseStatusException(HttpStatus.FORBIDDEN);
}

try {
return ResponseEntity.ok()
.cacheControl(CacheControl.maxAge(10, TimeUnit.MINUTES).cachePublic())
.body(users.updateNamespaceDetailsLogo(namespace, file));
.body(users.updateNamespaceDetailsLogo(namespace, file, user));
} catch (ErrorResultException exc) {
return exc.toResponseEntity(ResultJson.class);
}
Expand Down
10 changes: 8 additions & 2 deletions server/src/main/java/org/eclipse/openvsx/UserService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,11 +207,14 @@ public ResultJson addNamespaceMember(Namespace namespace, UserData user, String

@Transactional(rollbackOn = { ErrorResultException.class, NotFoundException.class })
@CacheEvict(value = { CACHE_NAMESPACE_DETAILS_JSON }, key="#details.name")
public ResultJson updateNamespaceDetails(NamespaceDetailsJson details) {
public ResultJson updateNamespaceDetails(NamespaceDetailsJson details, UserData user) {
var namespace = repositories.findNamespace(details.getName());
if (namespace == null) {
throw new NotFoundException();
}
if (!repositories.isNamespaceOwner(user, namespace)) {
throw new ErrorResultException("You must be an owner of this namespace.");
}

var issues = validator.validateNamespaceDetails(details);
if (!issues.isEmpty()) {
Expand Down Expand Up @@ -243,11 +246,14 @@ public ResultJson updateNamespaceDetails(NamespaceDetailsJson details) {

@Transactional
@CacheEvict(value = { CACHE_NAMESPACE_DETAILS_JSON }, key="#namespaceName")
public ResultJson updateNamespaceDetailsLogo(String namespaceName, MultipartFile file) {
public ResultJson updateNamespaceDetailsLogo(String namespaceName, MultipartFile file, UserData user) {
var namespace = repositories.findNamespace(namespaceName);
if (namespace == null) {
throw new NotFoundException();
}
if (!repositories.isNamespaceOwner(user, namespace)) {
throw new ErrorResultException("You must be an owner of this namespace.");
}

var oldNamespace = SerializationUtils.clone(namespace);
try (
Expand Down

0 comments on commit 217c623

Please sign in to comment.