SYN-8647: Don't accept * as a value for syn:user/syn:role (#4122)

vertexproject · Feb 11, 2025 · 0b02215 · 0b02215
1 parent 90a7b3f
commit 0b02215
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/changes/a014806e2981b195a520ad7ff8681b77.yaml b/changes/a014806e2981b195a520ad7ff8681b77.yaml
@@ -0,0 +1,6 @@
+---
+desc: Fixed a bug where ``syn:user`` and ``syn:role`` types could take a ``*`` and
+  return a new guid.
+prs: []
+type: bug
+...
diff --git a/synapse/models/syn.py b/synapse/models/syn.py
@@ -23,6 +23,10 @@ def _normPyStr(self, text):
             if user is not None:
                 return user.iden, {}
 
+        if text == '*':
+            mesg = f'{self.name} values must be a valid username or a guid.'
+            raise s_exc.BadTypeValu(mesg=mesg, name=self.name, valu=text)
+
         try:
             return s_types.Guid._normPyStr(self, text)
         except s_exc.BadTypeValu:
@@ -55,6 +59,10 @@ def _normPyStr(self, text):
             if role is not None:
                 return role.iden, {}
 
+        if text == '*':
+            mesg = f'{self.name} values must be a valid rolename or a guid.'
+            raise s_exc.BadTypeValu(mesg=mesg, name=self.name, valu=text)
+
         try:
             return s_types.Guid._normPyStr(self, text)
         except s_exc.BadTypeValu:

diff --git a/synapse/tests/test_model_syn.py b/synapse/tests/test_model_syn.py
@@ -69,6 +69,12 @@ async def test_syn_userrole(self):
             self.eq(exc.exception.get('valu'), 'newp')
             self.eq(exc.exception.get('name'), 'syn:user')
 
+            with self.raises(s_exc.BadTypeValu) as exc:
+                await core.callStorm('[ it:exec:query=* :synuser=* ]')
+            self.isin('syn:user values must be a valid username or a guid.', exc.exception.get('mesg'))
+            self.eq(exc.exception.get('valu'), '*')
+            self.eq(exc.exception.get('name'), 'syn:user')
+
             (ok, iden) = await core.callStorm('return($lib.trycast(syn:role, all))')
             self.true(ok)
             self.eq(iden, core.auth.allrole.iden)
@@ -86,6 +92,12 @@ async def test_syn_userrole(self):
             self.eq(exc.exception.get('valu'), 'newp')
             self.eq(exc.exception.get('name'), 'syn:role')
 
+            with self.raises(s_exc.BadTypeValu) as exc:
+                await core.callStorm('$lib.cast(syn:role, *)')
+            self.eq(exc.exception.get('mesg'), 'syn:role values must be a valid rolename or a guid.')
+            self.eq(exc.exception.get('valu'), '*')
+            self.eq(exc.exception.get('name'), 'syn:role')
+
             # coverage for DataModel without a cortex reference
             iden = s_common.guid()