api: ensure ACL role upsert decode error returns a 400 status code. (#15253)

2026-01-01 16:05:42 +03:00 · 2022-11-18 17:47:43 +01:00
parent c495cd99bf
commit faabc2b2c2
2 changed files with 23 additions and 1 deletions
--- a/.semgrep/http_endpoint.yml
+++ b/.semgrep/http_endpoint.yml
@@ -0,0 +1,22 @@
+rules:
+  - id: "http-endpoint-request-decode-error-code"
+    patterns:
+      - pattern: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(...)
+          }
+      - pattern-not-inside: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(400, ...)
+          }
+      - pattern-not-inside: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(http.StatusBadRequest, ...)
+          }
+    message: "HTTP endpoint request decode should return http.StatusBadRequest"
+    languages:
+      - "go"
+    severity: "ERROR"
+    paths:
+      include:
+        - "command/agent/*_endpoint.go"
--- a/command/agent/acl_endpoint.go
+++ b/command/agent/acl_endpoint.go
@@ -477,7 +477,7 @@ func (s *HTTPServer) aclRoleUpsertRequest(
 	// Decode the ACL role.
 	var aclRole structs.ACLRole
 	if err := decodeBody(req, &aclRole); err != nil {
-		return nil, CodedError(http.StatusInternalServerError, err.Error())
+		return nil, CodedError(http.StatusBadRequest, err.Error())
 	}

 	// Ensure the request path ID matches the ACL role ID that was decoded.