AnnotationController: fix improper authorization vulnerability

This PR is based on 2.5.x branch. We fix the improper authorization by retrieving the annotation using id and user id. We also replace the ParamConverter used to get the requested Annotation on put and delete actions with an explicit call to AnnotationRepository in order to prevent a resource enumeration through response discrepancy. Fixes GHSA-mrqx-mjc4-vfh3 Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com> Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
2023-01-23 12:16:09 +01:00
parent 9e9aedee94
commit 3ed7f2b751
6 changed files with 173 additions and 62 deletions
--- a/src/Wallabag/ApiBundle/Controller/AnnotationRestController.php
+++ b/src/Wallabag/ApiBundle/Controller/AnnotationRestController.php
@ -3,7 +3,6 @@
 namespace Wallabag\ApiBundle\Controller;

 use Nelmio\ApiDocBundle\Annotation\ApiDoc;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Wallabag\AnnotationBundle\Entity\Annotation;
@ -63,11 +62,9 @@ class AnnotationRestController extends WallabagRestController
     *      }
     * )
     *
-     * @ParamConverter("annotation", class="WallabagAnnotationBundle:Annotation")
-     *
     * @return JsonResponse
     */
-    public function putAnnotationAction(Annotation $annotation, Request $request)
+    public function putAnnotationAction(int $annotation, Request $request)
    {
        $this->validateAuthentication();

@ -86,11 +83,9 @@ class AnnotationRestController extends WallabagRestController
     *      }
     * )
     *
-     * @ParamConverter("annotation", class="WallabagAnnotationBundle:Annotation")
-     *
     * @return JsonResponse
     */
-    public function deleteAnnotationAction(Annotation $annotation)
+    public function deleteAnnotationAction(int $annotation)
    {
        $this->validateAuthentication();