Backport of api: ensure ACL role upsert decode error returns a 400 st…

…atus code. into release/1.4.x (#15321) This pull request was automerged via backport-assistant
hashicorp · Nov 18, 2022 · 7623043 · 7623043
1 parent bd38820
commit 7623043
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/.semgrep/http_endpoint.yml b/.semgrep/http_endpoint.yml
@@ -0,0 +1,22 @@
+rules:
+  - id: "http-endpoint-request-decode-error-code"
+    patterns:
+      - pattern: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(...)
+          }
+      - pattern-not-inside: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(400, ...)
+          }
+      - pattern-not-inside: |
+          if err := decodeBody(...); err != nil {
+          	return nil, CodedError(http.StatusBadRequest, ...)
+          }
+    message: "HTTP endpoint request decode should return http.StatusBadRequest"
+    languages:
+      - "go"
+    severity: "ERROR"
+    paths:
+      include:
+        - "command/agent/*_endpoint.go"
diff --git a/command/agent/acl_endpoint.go b/command/agent/acl_endpoint.go
@@ -477,7 +477,7 @@ func (s *HTTPServer) aclRoleUpsertRequest(
 	// Decode the ACL role.
 	var aclRole structs.ACLRole
 	if err := decodeBody(req, &aclRole); err != nil {
-		return nil, CodedError(http.StatusInternalServerError, err.Error())
+		return nil, CodedError(http.StatusBadRequest, err.Error())
 	}
 
 	// Ensure the request path ID matches the ACL role ID that was decoded.