From faabc2b2c2e5e4894ca00288c6dda29e0ca15124 Mon Sep 17 00:00:00 2001
From: James Rasell <jrasell@users.noreply.github.com>
Date: Fri, 18 Nov 2022 17:47:43 +0100
Subject: [PATCH] api: ensure ACL role upsert decode error returns a 400 status
 code. (#15253)

---
 .semgrep/http_endpoint.yml    | 22 ++++++++++++++++++++++
 command/agent/acl_endpoint.go |  2 +-
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 .semgrep/http_endpoint.yml

diff --git a/.semgrep/http_endpoint.yml b/.semgrep/http_endpoint.yml
new file mode 100644
index 000000000..007798613
--- /dev/null
+++ b/.semgrep/http_endpoint.yml
@@ -0,0 +1,22 @@
+rules:
+  - id: "http-endpoint-request-decode-error-code"
+    patterns:
+      - pattern: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(...)
+          }
+      - pattern-not-inside: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(400, ...)
+          }
+      - pattern-not-inside: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(http.StatusBadRequest, ...)
+          }
+    message: "HTTP endpoint request decode should return http.StatusBadRequest"
+    languages:
+      - "go"
+    severity: "ERROR"
+    paths:
+      include:
+        - "command/agent/*_endpoint.go"
diff --git a/command/agent/acl_endpoint.go b/command/agent/acl_endpoint.go
index 9eb71121a..9cb171b88 100644
--- a/command/agent/acl_endpoint.go
+++ b/command/agent/acl_endpoint.go
@@ -477,7 +477,7 @@ func (s *HTTPServer) aclRoleUpsertRequest(
 	// Decode the ACL role.
 	var aclRole structs.ACLRole
 	if err := decodeBody(req, &aclRole); err != nil {
-		return nil, CodedError(http.StatusInternalServerError, err.Error())
+		return nil, CodedError(http.StatusBadRequest, err.Error())
 	}
 
 	// Ensure the request path ID matches the ACL role ID that was decoded.