From 2f4b2ba405dc3f1e5018bb35a89c6ff4dbf1211d Mon Sep 17 00:00:00 2001 From: firest Date: Fri, 11 Nov 2022 16:52:29 +0800 Subject: [PATCH 1/2] fix(mgmt_api): Convert only what is needed when parsing subscription information --- apps/emqx_management/src/emqx_mgmt_api_clients.erl | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/apps/emqx_management/src/emqx_mgmt_api_clients.erl b/apps/emqx_management/src/emqx_mgmt_api_clients.erl index beff0d53e..f4fe0387f 100644 --- a/apps/emqx_management/src/emqx_mgmt_api_clients.erl +++ b/apps/emqx_management/src/emqx_mgmt_api_clients.erl @@ -584,13 +584,13 @@ authz_cache(delete, #{bindings := Bindings}) -> clean_authz_cache(Bindings). subscribe(post, #{bindings := #{clientid := ClientID}, body := TopicInfo}) -> - Opts = emqx_map_lib:unsafe_atom_key_map(TopicInfo), + Opts = to_topic_info(TopicInfo), subscribe(Opts#{clientid => ClientID}). subscribe_batch(post, #{bindings := #{clientid := ClientID}, body := TopicInfos}) -> Topics = [ - emqx_map_lib:unsafe_atom_key_map(TopicInfo) + to_topic_info(TopicInfo) || TopicInfo <- TopicInfos ], subscribe_batch(#{clientid => ClientID, topics => Topics}). @@ -973,3 +973,7 @@ format_authz_cache({{PubSub, Topic}, {AuthzResult, Timestamp}}) -> result => AuthzResult, updated_time => Timestamp }. + +to_topic_info(Data) -> + M = maps:with([<<"topic">>, <<"qos">>, <<"nl">>, <<"rap">>, <<"rh">>], Data), + emqx_map_lib:safe_atom_key_map(M). From d9e7d365804fa9a7fc43a8f12469651232f5f6e2 Mon Sep 17 00:00:00 2001 From: firest Date: Mon, 14 Nov 2022 09:45:38 +0800 Subject: [PATCH 2/2] chore: bump version && update changes --- apps/emqx_management/src/emqx_management.app.src | 2 +- changes/v5.0.11-en.md | 2 ++ changes/v5.0.11-zh.md | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/apps/emqx_management/src/emqx_management.app.src b/apps/emqx_management/src/emqx_management.app.src index b91b6a8b1..ab726cbb2 100644 --- a/apps/emqx_management/src/emqx_management.app.src +++ b/apps/emqx_management/src/emqx_management.app.src @@ -2,7 +2,7 @@ {application, emqx_management, [ {description, "EMQX Management API and CLI"}, % strict semver, bump manually! - {vsn, "5.0.7"}, + {vsn, "5.0.8"}, {modules, []}, {registered, [emqx_management_sup]}, {applications, [kernel, stdlib, emqx_plugins, minirest, emqx]}, diff --git a/changes/v5.0.11-en.md b/changes/v5.0.11-en.md index b73bb4247..f35d11719 100644 --- a/changes/v5.0.11-en.md +++ b/changes/v5.0.11-en.md @@ -5,6 +5,8 @@ - Security enhancement for retained messages [#9326](https://github.com/emqx/emqx/pull/9326). The retained messages will not be published if the publisher client is banned. +- Security enhancement for the `subscribe` API [#9355](https://github.com/emqx/emqx/pull/9355). + ## Bug fixes - Return 404 for status of unknown authenticator in `/authenticator/{id}/status` [#9328](https://github.com/emqx/emqx/pull/9328). diff --git a/changes/v5.0.11-zh.md b/changes/v5.0.11-zh.md index 959061f6a..c16c3193a 100644 --- a/changes/v5.0.11-zh.md +++ b/changes/v5.0.11-zh.md @@ -5,6 +5,8 @@ - 增强 `保留消息` 的安全性 [#9332](https://github.com/emqx/emqx/pull/9332)。 现在投递保留消息前,会先过滤掉来源客户端被封禁了的那些消息。 +- 增强订阅 API 的安全性 [#9355](https://github.com/emqx/emqx/pull/9355)。 + ## 修复 - 通过 `/authenticator/{id}/status` 请求未知认证器的状态时,将会返回 404。