Bug Report
Description
ExecutorApi.getExecutor() has a copy-paste error in its @AccessControl annotation: resourceId = "#collectorId" should be resourceId = "#executorId".
The method parameter is executorId, but the SpEL expression references #collectorId which doesn't exist. This means the resource-level RBAC check is performed with a null resource ID, potentially bypassing resource-level authorization for this endpoint.
Location
openaev-api/src/main/java/io/openaev/rest/executor/ExecutorApi.java:101-104
@AccessControl(
resourceId = "#collectorId", // BUG: should be "#executorId"
actionPerformed = Action.READ,
resourceType = ResourceType.ASSET)
public Executor getExecutor(@PathVariable String executorId) {
Fix
@AccessControl(
resourceId = "#executorId",
actionPerformed = Action.READ,
resourceType = ResourceType.ASSET)
Severity
High — RBAC misconfiguration on a resource-level access check.
Discovered during
Security review of PR for #6469.
Bug Report
Description
ExecutorApi.getExecutor()has a copy-paste error in its@AccessControlannotation:resourceId = "#collectorId"should beresourceId = "#executorId".The method parameter is
executorId, but the SpEL expression references#collectorIdwhich doesn't exist. This means the resource-level RBAC check is performed with a null resource ID, potentially bypassing resource-level authorization for this endpoint.Location
openaev-api/src/main/java/io/openaev/rest/executor/ExecutorApi.java:101-104Fix
Severity
High — RBAC misconfiguration on a resource-level access check.
Discovered during
Security review of PR for #6469.