misc: added backend validation for secrets read during integration create/update

2025-03-22 20:36:17 +00:00 · 2024-05-28 12:13:35 +08:00
4 changed files with 14 additions and 12 deletions
--- a/backend/src/services/integration/integration-service.ts
+++ b/backend/src/services/integration/integration-service.ts
@ -1,4 +1,4 @@
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";

 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -66,6 +66,11 @@ export const integrationServiceFactory = ({
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);

+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: sourceEnvironment, secretPath })
+    );
+
    const folder = await folderDAL.findBySecretPath(integrationAuth.projectId, sourceEnvironment, secretPath);
    if (!folder) throw new BadRequestError({ message: "Folder path not found" });

@ -123,6 +128,11 @@ export const integrationServiceFactory = ({
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);

+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+    );
+
    const folder = await folderDAL.findBySecretPath(integration.projectId, environment, secretPath);
    if (!folder) throw new BadRequestError({ message: "Folder path not found" });

--- a/frontend/src/helpers/string.ts
+++ b/frontend/src/helpers/string.ts
@ -1,5 +0,0 @@
-export const removeTrailingSlash = (str: string) => {
-  if (str === "/") return str;
-
-  return str.endsWith("/") ? str.slice(0, -1) : str;
-};
--- a/frontend/src/pages/integrations/aws-secret-manager/create.tsx
+++ b/frontend/src/pages/integrations/aws-secret-manager/create.tsx
@ -169,12 +169,12 @@ export default function AWSSecretManagerCreateIntegrationPage() {
          mappingBehavior: selectedMappingBehavior
        }
      });
-
      setIsLoading(false);
      setTargetSecretNameErrorText("");

      router.push(`/integrations/${localStorage.getItem("projectData.id")}`);
    } catch (err) {
+      setIsLoading(false);
      console.error(err);
    }
  };
--- a/frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx
+++ b/frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx
@ -43,7 +43,6 @@ import {
  useProjectPermission,
  useWorkspace
 } from "@app/context";
-import { removeTrailingSlash } from "@app/helpers/string";
 import { usePopUp } from "@app/hooks";
 import {
  TProjectUserPrivilege,
@ -105,9 +104,7 @@ export const SpecificPrivilegeSecretForm = ({
        ? {
            environmentSlug: privilege.permissions?.[0]?.conditions?.environment,
            // secret path will be inside $glob operator
-            secretPath: privilege.permissions?.[0]?.conditions?.secretPath?.$glob
-              ? removeTrailingSlash(privilege.permissions?.[0]?.conditions?.secretPath?.$glob)
-              : "",
+            secretPath: privilege.permissions?.[0]?.conditions?.secretPath?.$glob || "",
            read: privilege.permissions?.some(({ action }) =>
              action.includes(ProjectPermissionActions.Read)
            ),
@ -186,7 +183,7 @@ export const SpecificPrivilegeSecretForm = ({
      ];
      const conditions: Record<string, any> = { environment: data.environmentSlug };
      if (data.secretPath) {
-        conditions.secretPath = { $glob: removeTrailingSlash(data.secretPath) };
+        conditions.secretPath = { $glob: data.secretPath };
      }
      await updateUserPrivilege.mutateAsync({
        privilegeId: privilege.id,