Merge pull request #9355 from lafirest/fix/indirectly_bin_to_atom

fix(mgmt_api): Convert only what is needed when parsing subscription information
2022-11-14 17:45:58 +08:00 · 2022-11-14 17:45:58 +08:00 · 56d443d19a
parent 298cd2c3c9 d9e7d36580
commit 56d443d19a
4 changed files with 11 additions and 3 deletions
--- a/apps/emqx_management/src/emqx_management.app.src
+++ b/apps/emqx_management/src/emqx_management.app.src
@ -2,7 +2,7 @@
 {application, emqx_management, [
    {description, "EMQX Management API and CLI"},
    % strict semver, bump manually!
-    {vsn, "5.0.7"},
+    {vsn, "5.0.8"},
    {modules, []},
    {registered, [emqx_management_sup]},
    {applications, [kernel, stdlib, emqx_plugins, minirest, emqx]},
--- a/apps/emqx_management/src/emqx_mgmt_api_clients.erl
+++ b/apps/emqx_management/src/emqx_mgmt_api_clients.erl
@ -584,13 +584,13 @@ authz_cache(delete, #{bindings := Bindings}) ->
    clean_authz_cache(Bindings).

 subscribe(post, #{bindings := #{clientid := ClientID}, body := TopicInfo}) ->
-    Opts = emqx_map_lib:unsafe_atom_key_map(TopicInfo),
+    Opts = to_topic_info(TopicInfo),
    subscribe(Opts#{clientid => ClientID}).

 subscribe_batch(post, #{bindings := #{clientid := ClientID}, body := TopicInfos}) ->
    Topics =
        [
-            emqx_map_lib:unsafe_atom_key_map(TopicInfo)
+            to_topic_info(TopicInfo)
         || TopicInfo <- TopicInfos
        ],
    subscribe_batch(#{clientid => ClientID, topics => Topics}).
@ -973,3 +973,7 @@ format_authz_cache({{PubSub, Topic}, {AuthzResult, Timestamp}}) ->
        result => AuthzResult,
        updated_time => Timestamp
    }.
+
+to_topic_info(Data) ->
+    M = maps:with([<<"topic">>, <<"qos">>, <<"nl">>, <<"rap">>, <<"rh">>], Data),
+    emqx_map_lib:safe_atom_key_map(M).
--- a/changes/v5.0.11-en.md
+++ b/changes/v5.0.11-en.md
@ -5,6 +5,8 @@
 - Security enhancement for retained messages [#9326](https://github.com/emqx/emqx/pull/9326).
  The retained messages will not be published if the publisher client is banned.

+- Security enhancement for the `subscribe` API [#9355](https://github.com/emqx/emqx/pull/9355).
+
 ## Bug fixes

 - Return 404 for status of unknown authenticator in `/authenticator/{id}/status` [#9328](https://github.com/emqx/emqx/pull/9328).
--- a/changes/v5.0.11-zh.md
+++ b/changes/v5.0.11-zh.md
@ -5,6 +5,8 @@
 - 增强 `保留消息` 的安全性 [#9332](https://github.com/emqx/emqx/pull/9332)。
  现在投递保留消息前，会先过滤掉来源客户端被封禁了的那些消息。

+- 增强订阅 API 的安全性 [#9355](https://github.com/emqx/emqx/pull/9355)。
+
 ## 修复

 - 通过 `/authenticator/{id}/status` 请求未知认证器的状态时，将会返回 404。