From 1a6eb4b856a4ff01afddc850a9fca274ab1b72da Mon Sep 17 00:00:00 2001 From: Anurag Awasthi <43956255+anuragaw@users.noreply.github.com> Date: Tue, 15 Jan 2019 14:05:16 +0530 Subject: [PATCH] server: use resource UUID instead of resource ID in API response (#2527) (#3099) List resourcedetails was adding DB ID instead of UUID. This is a security risk and needs fix. Fixes: #2527 --- .../com/cloud/api/query/QueryManagerImpl.java | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java index 93514700492..f75f711143c 100644 --- a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java @@ -153,7 +153,6 @@ import com.cloud.api.query.vo.UserAccountJoinVO; import com.cloud.api.query.vo.UserVmJoinVO; import com.cloud.api.query.vo.VolumeJoinVO; import com.cloud.dc.DedicatedResourceVO; -import com.cloud.dc.dao.DataCenterDetailsDao; import com.cloud.dc.dao.DedicatedResourceDao; import com.cloud.domain.Domain; import com.cloud.domain.DomainVO; @@ -205,6 +204,7 @@ import com.cloud.utils.DateUtil; import com.cloud.utils.Pair; import com.cloud.utils.StringUtils; import com.cloud.utils.Ternary; +import com.cloud.utils.db.EntityManager; import com.cloud.utils.db.Filter; import com.cloud.utils.db.JoinBuilder; import com.cloud.utils.db.SearchBuilder; @@ -330,7 +330,7 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q private DomainRouterDao _routerDao; @Inject - UserVmDetailsDao _userVmDetailDao; + private UserVmDetailsDao _userVmDetailDao; @Inject private HighAvailabilityManager _haMgr; @@ -342,7 +342,7 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q private TemplateJoinDao _templateJoinDao; @Inject - ResourceManager _resourceMgr; + private ResourceManager _resourceMgr; @Inject private ResourceMetaDataService _resourceMetaDataMgr; @@ -350,7 +350,7 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q private TaggedResourceService _taggedResourceMgr; @Inject - AffinityGroupVMMapDao _affinityGroupVMMapDao; + private AffinityGroupVMMapDao _affinityGroupVMMapDao; @Inject private AffinityGroupJoinDao _affinityGroupJoinDao; @@ -359,22 +359,22 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q private DedicatedResourceDao _dedicatedDao; @Inject - DataCenterDetailsDao _dcDetailsDao; + private DomainManager _domainMgr; @Inject - DomainManager _domainMgr; + private AffinityGroupDomainMapDao _affinityGroupDomainMapDao; @Inject - AffinityGroupDomainMapDao _affinityGroupDomainMapDao; + private NetworkDetailsDao _networkDetailsDao; @Inject - NetworkDetailsDao _networkDetailsDao; + private ResourceTagDao _resourceTagDao; @Inject - ResourceTagDao _resourceTagDao; + private DataStoreManager dataStoreManager; @Inject - DataStoreManager dataStoreManager; + private EntityManager _entityMgr; /* * (non-Javadoc) @@ -3674,7 +3674,7 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q protected ResourceDetailResponse createResourceDetailsResponse(ResourceDetail requestedDetail, ResourceTag.ResourceObjectType resourceType) { ResourceDetailResponse resourceDetailResponse = new ResourceDetailResponse(); - resourceDetailResponse.setResourceId(String.valueOf(requestedDetail.getResourceId())); + resourceDetailResponse.setResourceId(_taggedResourceMgr.getUuid(String.valueOf(requestedDetail.getResourceId()), resourceType)); resourceDetailResponse.setName(requestedDetail.getName()); resourceDetailResponse.setValue(requestedDetail.getValue()); resourceDetailResponse.setForDisplay(requestedDetail.isDisplay());