From d0ea7f46475ae0a716827bd214179e9ae90a8d6e Mon Sep 17 00:00:00 2001
From: Stefan Strigler <stefan.strigler@emqx.io>
Date: Mon, 6 Mar 2023 11:05:53 +0100
Subject: [PATCH] fix(emqx_authz): check if type param matches type in body

---
 apps/emqx_authz/src/emqx_authz_api_sources.erl     |  4 +++-
 .../test/emqx_authz_api_sources_SUITE.erl          | 14 ++++++++++++++
 changes/ce/fix-10074.en.md                         |  1 +
 changes/ce/fix-10074.zh.md                         |  1 +
 4 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 changes/ce/fix-10074.en.md
 create mode 100644 changes/ce/fix-10074.zh.md

diff --git a/apps/emqx_authz/src/emqx_authz_api_sources.erl b/apps/emqx_authz/src/emqx_authz_api_sources.erl
index c692154b1..fffb4bee4 100644
--- a/apps/emqx_authz/src/emqx_authz_api_sources.erl
+++ b/apps/emqx_authz/src/emqx_authz_api_sources.erl
@@ -262,8 +262,10 @@ source(get, #{bindings := #{type := Type}}) ->
     end;
 source(put, #{bindings := #{type := <<"file">>}, body := #{<<"type">> := <<"file">>} = Body}) ->
     update_authz_file(Body);
-source(put, #{bindings := #{type := Type}, body := Body}) ->
+source(put, #{bindings := #{type := Type}, body := #{<<"type">> := Type} = Body}) ->
     update_config({?CMD_REPLACE, Type}, Body);
+source(put, #{bindings := #{type := _Type}, body := #{<<"type">> := _OtherType}}) ->
+    {400, #{code => <<"BAD_REQUEST">>, message => <<"Type mismatch">>}};
 source(delete, #{bindings := #{type := Type}}) ->
     update_config({?CMD_DELETE, Type}, #{}).
 
diff --git a/apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl b/apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl
index 76b025716..f2761412a 100644
--- a/apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl
+++ b/apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl
@@ -332,6 +332,7 @@ t_api(_) ->
         uri(["authorization", "sources", "postgresql"]),
         ?SOURCE4#{<<"server">> := <<"fake">>}
     ),
+
     {ok, 204, _} = request(
         put,
         uri(["authorization", "sources", "redis"]),
@@ -343,6 +344,19 @@ t_api(_) ->
         }
     ),
 
+    {ok, 400, TypeMismatch} = request(
+        put,
+        uri(["authorization", "sources", "file"]),
+        #{<<"type">> => <<"built_in_database">>, <<"enable">> => false}
+    ),
+    ?assertMatch(
+        #{
+            <<"code">> := <<"BAD_REQUEST">>,
+            <<"message">> := <<"Type mismatch", _/binary>>
+        },
+        jiffy:decode(TypeMismatch, [return_maps])
+    ),
+
     lists:foreach(
         fun(#{<<"type">> := Type}) ->
             {ok, 204, _} = request(
diff --git a/changes/ce/fix-10074.en.md b/changes/ce/fix-10074.en.md
new file mode 100644
index 000000000..49c52b948
--- /dev/null
+++ b/changes/ce/fix-10074.en.md
@@ -0,0 +1 @@
+Check if type in `PUT /authorization/sources/:type` matches `type` given in body of request.
diff --git a/changes/ce/fix-10074.zh.md b/changes/ce/fix-10074.zh.md
new file mode 100644
index 000000000..930840cdf
--- /dev/null
+++ b/changes/ce/fix-10074.zh.md
@@ -0,0 +1 @@
+检查 `PUT /authorization/sources/:type` 中的类型是否与请求正文中的 `type` 相符。