From 79f3dabaacfd8fc1247ecf93909f73d4c98b2003 Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Mon, 5 Apr 2021 15:20:13 -0500
Subject: [PATCH] Throw if collection Id does not exist on the organization
 (#1259)

Otherwise, we're just saving strings for fun. This makes it clear the
user's specified collection won't do anything.
---
 src/Core/Services/Implementations/CipherService.cs | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/Core/Services/Implementations/CipherService.cs b/src/Core/Services/Implementations/CipherService.cs
index 220a29dfef..718d687952 100644
--- a/src/Core/Services/Implementations/CipherService.cs
+++ b/src/Core/Services/Implementations/CipherService.cs
@@ -122,6 +122,11 @@ namespace Bit.Core.Services
             {
                 if (cipher.OrganizationId.HasValue && collectionIds != null)
                 {
+                    var existingCollectionIds = (await _collectionRepository.GetManyByOrganizationIdAsync(cipher.OrganizationId.Value)).Select(c => c.Id);
+                    if (collectionIds.Except(existingCollectionIds).Any())
+                    {
+                        throw new BadRequestException("Specified CollectionId does not exist on the specified Organization.");
+                    }
                     await _cipherRepository.CreateAsync(cipher, collectionIds);
                 }
                 else
@@ -198,7 +203,7 @@ namespace Bit.Core.Services
                 Key = request.Key,
                 Size = request.FileSize,
                 Validated = false,
-           };
+            };
 
             var uploadUrl = await _attachmentStorageService.GetAttachmentUploadUrlAsync(cipher, data);
 
@@ -248,7 +253,8 @@ namespace Bit.Core.Services
                 await _eventService.LogCipherEventAsync(cipher, Enums.EventType.Cipher_AttachmentCreated);
                 cipher.AddAttachment(attachmentId, data);
 
-                if (!await ValidateCipherAttachmentFile(cipher, data)) {
+                if (!await ValidateCipherAttachmentFile(cipher, data))
+                {
                     throw new Exception("Content-Length does not match uploaded file size");
                 }
             }
@@ -911,7 +917,7 @@ namespace Bit.Core.Services
             {
                 return;
             }
-            
+
             await _cipherRepository.DeleteAttachmentAsync(cipher.Id, attachmentData.AttachmentId);
             cipher.DeleteAttachment(attachmentData.AttachmentId);
             await _attachmentStorageService.DeleteAttachmentAsync(cipher.Id, attachmentData);