Merge pull request #496 from akhandpratapsingh88/Akhand@hcl-Accelerator-security-vulnerabilities-fixes

santhoshb-msft · web-flow · commit 6ed40de0cea9 · 2023-05-18T15:25:19.000-07:00
Fix for Important Security vulnerabilities
diff --git a/src/AdminSite/Controllers/ApplicationLogController.cs b/src/AdminSite/Controllers/ApplicationLogController.cs
@@ -4,11 +4,13 @@
 using Marketplace.SaaS.Accelerator.DataAccess.Contracts;
 using Marketplace.SaaS.Accelerator.DataAccess.Entities;
 using Marketplace.SaaS.Accelerator.Services.Services;
+using Marketplace.SaaS.Accelerator.Services.Utilities;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 
 namespace Marketplace.SaaS.Accelerator.AdminSite.Controllers;
 
+[ServiceFilter(typeof(KnownUserAttribute))]
 public class ApplicationLogController : BaseController
 {
     private readonly ILogger<ApplicationLogController> logger;
diff --git a/src/CustomerSite/Controllers/HomeController.cs b/src/CustomerSite/Controllers/HomeController.cs
@@ -404,6 +404,13 @@ public IActionResult SubscriptionLogDetail(Guid subscriptionId)
         {
             if (this.User.Identity.IsAuthenticated)
             {
+                // Validate subscription from same customer
+                var subscriptionDetail = this.subscriptionService.GetPartnerSubscription(this.CurrentUserEmailAddress, subscriptionId).FirstOrDefault();
+                if(subscriptionDetail == null)
+                {
+                    return this.RedirectToAction(nameof(this.Index));
+                }
+
                 List<SubscriptionAuditLogs> subscriptionAudit = new List<SubscriptionAuditLogs>();
                 subscriptionAudit = this.subscriptionLogRepository.GetSubscriptionBySubscriptionId(subscriptionId).ToList();
                 return this.PartialView(subscriptionAudit);

Original file line number	Diff line number	Diff line change
`@@ -404,6 +404,13 @@ public IActionResult SubscriptionLogDetail(Guid subscriptionId)`
`404`	`404`	`{`
`405`	`405`	`if (this.User.Identity.IsAuthenticated)`
`406`	`406`	`{`
	`407`	`+ // Validate subscription from same customer`
	`408`	`+ var subscriptionDetail = this.subscriptionService.GetPartnerSubscription(this.CurrentUserEmailAddress, subscriptionId).FirstOrDefault();`
	`409`	`+ if(subscriptionDetail == null)`
	`410`	`+ {`
	`411`	`+ return this.RedirectToAction(nameof(this.Index));`
	`412`	`+ }`
	`413`	`+`
`407`	`414`	`List<SubscriptionAuditLogs> subscriptionAudit = new List<SubscriptionAuditLogs>();`
`408`	`415`	`subscriptionAudit = this.subscriptionLogRepository.GetSubscriptionBySubscriptionId(subscriptionId).ToList();`
`409`	`416`	`return this.PartialView(subscriptionAudit);`