winterhazel commented on code in PR #13149:
URL: https://github.com/apache/cloudstack/pull/13149#discussion_r3554780874


##########
server/src/main/java/com/cloud/user/AccountManagerImpl.java:
##########
@@ -3202,7 +3202,7 @@ public Pair<Boolean, Map<String, String>> 
getKeys(GetUserKeysCmd cmd) {
         ApiKeyPair keyPair;
         if (accessingApiKey != null) {
             ApiKeyPair accessingKeyPair = 
apiKeyPairService.findByApiKey(accessingApiKey);
-            if (userId == accessingKeyPair.getUserId()) {
+            if (accessingKeyPair != null && userId == 
accessingKeyPair.getUserId()) {

Review Comment:
   ```suggestion
               if (accessingKeyPair == null) {
                   throw new CloudRuntimeException(String.format("Unable to 
find pair of API key [%s].", accessingApiKey));
               }
               if (userId == accessingKeyPair.getUserId()) {
   ```
   
   @sureshanaparti it makes more sense to throw an exception here. Although 
unlikely, the way this `if` is structured right now can result in the key of 
user A of account X leaking when the caller is using a key to access user B of 
account X if `accessingKeyPair` is null. 
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to