Fix for below High vulnerabilities

1) Insecure Direct Object References (CWE-639) -Broken Access Control 2) Unauthorized Access to Admin Logs (CWE-200) - Security Misconfiguration
Azure · May 11, 2023 · 477e29a · 477e29a
1 parent 0cd205f
commit 477e29a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/src/AdminSite/Controllers/ApplicationLogController.cs b/src/AdminSite/Controllers/ApplicationLogController.cs
@@ -4,11 +4,13 @@
 using Marketplace.SaaS.Accelerator.DataAccess.Contracts;
 using Marketplace.SaaS.Accelerator.DataAccess.Entities;
 using Marketplace.SaaS.Accelerator.Services.Services;
+using Marketplace.SaaS.Accelerator.Services.Utilities;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 
 namespace Marketplace.SaaS.Accelerator.AdminSite.Controllers;
 
+[ServiceFilter(typeof(KnownUserAttribute))]
 public class ApplicationLogController : BaseController
 {
     private readonly ILogger<ApplicationLogController> logger;

diff --git a/src/CustomerSite/Controllers/HomeController.cs b/src/CustomerSite/Controllers/HomeController.cs
@@ -404,6 +404,13 @@ public IActionResult SubscriptionLogDetail(Guid subscriptionId)
         {
             if (this.User.Identity.IsAuthenticated)
             {
+                // Validate subscription from same customer
+                var subscriptionDetail = this.subscriptionService.GetPartnerSubscription(this.CurrentUserEmailAddress, subscriptionId).FirstOrDefault();
+                if(subscriptionDetail == null)
+                {
+                    return this.RedirectToAction(nameof(this.Index));
+                }
+
                 List<SubscriptionAuditLogs> subscriptionAudit = new List<SubscriptionAuditLogs>();
                 subscriptionAudit = this.subscriptionLogRepository.GetSubscriptionBySubscriptionId(subscriptionId).ToList();
                 return this.PartialView(subscriptionAudit);