nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

[AC-1654] idor allow the attacker to disable any one scim provising (#3325)

Browse Source 
* [AC-1654] Added IOrganizationConnectionRepository.GetByIdOrganizationIdAsync and modified OrganizationConnectionsController to use it to get a connection matching both Id and OrganizationId

* [AC-1654] Fixed unit tests
This commit is contained in:
Rui Tomé
2023-10-18 11:39:00 +01:00
committed by GitHub
parent 8c77c65ce8
commit cb73056c42
7 changed files with 75 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Api/Controllers/OrganizationConnectionsController.cs
View File

@ -78,7 +78,12 @@ public class OrganizationConnectionsController : Controller
[HttpPut("{organizationConnectionId}")]
public async Task<OrganizationConnectionResponseModel> UpdateConnection(Guid organizationConnectionId, [FromBody] OrganizationConnectionRequestModel model)
{
var existingOrganizationConnection = await _organizationConnectionRepository.GetByIdAsync(organizationConnectionId);
if (model == null)
{
throw new NotFoundException();
}
var existingOrganizationConnection = await _organizationConnectionRepository.GetByIdOrganizationIdAsync(organizationConnectionId, model.OrganizationId);
if (existingOrganizationConnection == null)
{
throw new NotFoundException();

1
src/Core/Repositories/IOrganizationConnectionRepository.cs
View File

@ -5,6 +5,7 @@ namespace Bit.Core.Repositories;
public interface IOrganizationConnectionRepository : IRepository<OrganizationConnection, Guid>
{
Task<OrganizationConnection> GetByIdOrganizationIdAsync(Guid id, Guid organizationId);
Task<ICollection<OrganizationConnection>> GetByOrganizationIdTypeAsync(Guid organizationId, OrganizationConnectionType type);
Task<ICollection<OrganizationConnection>> GetEnabledByOrganizationIdTypeAsync(Guid organizationId, OrganizationConnectionType type);
}

17
src/Infrastructure.Dapper/Repositories/OrganizationConnectionRepository.cs
View File

@ -14,6 +14,23 @@ public class OrganizationConnectionRepository : Repository<OrganizationConnectio
: base(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
{ }
public async Task<OrganizationConnection> GetByIdOrganizationIdAsync(Guid id, Guid organizationId)
{
using (var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<OrganizationConnection>(
$"[{Schema}].[OrganizationConnection_ReadByIdOrganizationId]",
new
{
Id = id,
OrganizationId = organizationId
},
commandType: CommandType.StoredProcedure);
return results.FirstOrDefault();
}
}
public async Task<ICollection<OrganizationConnection>> GetByOrganizationIdTypeAsync(Guid organizationId, OrganizationConnectionType type)
{
using (var connection = new SqlConnection(ConnectionString))

11
src/Infrastructure.EntityFramework/Repositories/OrganizationConnectionRepository.cs
View File

@ -15,6 +15,17 @@ public class OrganizationConnectionRepository : Repository<OrganizationConnectio
{
}
public async Task<OrganizationConnection> GetByIdOrganizationIdAsync(Guid id, Guid organizationId)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var connection = await dbContext.OrganizationConnections
.FirstOrDefaultAsync(oc => oc.Id == id && oc.OrganizationId == organizationId);
return Mapper.Map<OrganizationConnection>(connection);
}
}
public async Task<ICollection<OrganizationConnection>> GetByOrganizationIdTypeAsync(Guid organizationId, OrganizationConnectionType type)
{
using (var scope = ServiceScopeFactory.CreateScope())

15
src/Sql/dbo/Stored Procedures/OrganizationConnection_ReadByIdOrganizationId.sql Normal file
View File

@ -0,0 +1,15 @@
CREATE PROCEDURE [dbo].[OrganizationConnection_ReadByIdOrganizationId]
@Id UNIQUEIDENTIFIER,
@OrganizationId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
*
FROM
[dbo].[OrganizationConnectionView]
WHERE
[Id] = @Id AND
[OrganizationId] = @OrganizationId
END