Details
-
Bug
-
Resolution: Done
-
Major
-
2.9 ER1
-
None
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
Description
I've used Toolbox for finding account. Toolbox uses this query + I've tried to find string includes random sha512:
GET /admin/api/accounts/find.json?buyer_provider_key=ae1129432470c7ea25e6bd5162ae2cac92a71b7be2706f47805cf2d5a759129e0faa88b289481bddc1a1995b2f223cef2e3b052d325df77bb0043364a651ee0c&buyer_service_token=ae1129432470c7ea25e6bd5162ae2cac92a71b7be2706f47805cf2d5a759129e0faa88b289481bddc1a1995b2f223cef2e3b052d325df77bb0043364a651ee0c
It returns account which has surprised me a lot:
{\"account\":{\"id\":57,\"created_at\":\"2020-05-28T08:58:55Z\",\"updated_at\":\"2020-05-28T08:58:55Z\",\"credit_card_stored\":false,\"monthly_billing_enabled\":true,\"monthly_charging_enabled\":true,\"state\":\"created\",\"links\":[{\"rel\":\"self\",\"href\":\"https://3scale-admin.3scale._domain_/admin/api/accounts/57\"},{\"rel\":\"users\",\"href\":\"https://3scale-admin.3scale._domain_/admin/api/accounts/57/users\"}],\"org_name\":\"id-mkudlej-prodct-euxf\"}}
I think that random hash cannot be presented in any attribute of any account, so it should return HTTP 404.
Another related bug:
$ GET /admin/api/accounts/find.xml?user_id=8a | xmllint --format --xmlout -
<?xml version="1.0" encoding="UTF-8"?>
<account>
...
<users>
<user>
<id>8</id>
<created_at>2020-05-25T18:47:53Z</created_at>
<updated_at>2020-05-25T18:47:53Z</updated_at>
<account_id>6</account_id>
<state>active</state>
<role>admin</role>
<username>account-mkudlej-u-czoggd</username>
<email>account-mkudlej-u-czoggd@mailhog.3scale.__domain__</email>
<extra_fields/>
</user>
</users>
</account>
It found account with user_id == 8 even the query was user_id == 8a. It should return HTTP 404.
