Merge pull request #1082 from amvanbaren/GHSA-wc7c-xq2f-qp4h

Fix GHSA-wc7c-xq2f-qp4h

Author: amvanbaren

server/src/main/java/org/eclipse/openvsx/UserAPI.java

@@ -241,10 +241,15 @@ public List<NamespaceJson> getOwnNamespaces() {
         produces = MediaType.APPLICATION_JSON_VALUE
     )
     public ResponseEntity<ResultJson> updateNamespaceDetails(@RequestBody NamespaceDetailsJson details) {
+        var user = users.findLoggedInUser();
+        if (user == null) {
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
+        }
+
         try {
             return ResponseEntity.ok()
                     .cacheControl(CacheControl.maxAge(10, TimeUnit.MINUTES).cachePublic())
-                    .body(users.updateNamespaceDetails(details));
+                    .body(users.updateNamespaceDetails(details, user));
         } catch (NotFoundException exc) {
             var json = NamespaceDetailsJson.error("Namespace not found: " + details.getName());
             return new ResponseEntity<>(json, HttpStatus.NOT_FOUND);
@@ -262,9 +267,14 @@ public ResponseEntity<ResultJson> updateNamespaceDetailsLogo(
             @PathVariable String namespace,
             @RequestParam MultipartFile file
     ) {
+        var user = users.findLoggedInUser();
+        if (user == null) {
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
+        }
+
         try {
             return ResponseEntity.ok()
-                    .body(users.updateNamespaceDetailsLogo(namespace, file));
+                    .body(users.updateNamespaceDetailsLogo(namespace, file, user));
         } catch (ErrorResultException exc) {
             return exc.toResponseEntity(ResultJson.class);
         }

server/src/main/java/org/eclipse/openvsx/UserService.java

@@ -208,11 +208,14 @@ public ResultJson addNamespaceMember(Namespace namespace, UserData user, String
 
     @Transactional(rollbackOn = { ErrorResultException.class, NotFoundException.class })
     @CacheEvict(value = { CACHE_NAMESPACE_DETAILS_JSON }, key="#details.name")
-    public ResultJson updateNamespaceDetails(NamespaceDetailsJson details) {
+    public ResultJson updateNamespaceDetails(NamespaceDetailsJson details, UserData user) {
         var namespace = repositories.findNamespace(details.getName());
         if (namespace == null) {
             throw new NotFoundException();
         }
+        if (!repositories.isNamespaceOwner(user, namespace)) {
+            throw new ErrorResultException("You must be an owner of this namespace.");
+        }
 
         var issues = validator.validateNamespaceDetails(details);
         if (!issues.isEmpty()) {
@@ -250,11 +253,14 @@ public ResultJson updateNamespaceDetails(NamespaceDetailsJson details) {
 
     @Transactional
     @CacheEvict(value = { CACHE_NAMESPACE_DETAILS_JSON }, key="#namespaceName")
-    public ResultJson updateNamespaceDetailsLogo(String namespaceName, MultipartFile file) {
+    public ResultJson updateNamespaceDetailsLogo(String namespaceName, MultipartFile file, UserData user) {
         var namespace = repositories.findNamespace(namespaceName);
         if (namespace == null) {
             throw new NotFoundException();
         }
+        if (!repositories.isNamespaceOwner(user, namespace)) {
+            throw new ErrorResultException("You must be an owner of this namespace.");
+        }
 
         var oldNamespace = SerializationUtils.clone(namespace);
         try (