Skip to content

Commit 406f836

Browse files
neilalexanderneilalexander
committed
Improved request account validation
Signed-off-by: Neil Twigg <[email protected]>
1 parent 372d7c5 commit 406f836

File tree

1 file changed

+14
-0
lines changed

1 file changed

+14
-0
lines changed

server/jetstream_api.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2316,6 +2316,9 @@ func (s *Server) jsLeaderServerRemoveRequest(sub *subscription, c *client, _ *Ac
23162316
s.Warnf(badAPIRequestT, msg)
23172317
return
23182318
}
2319+
if acc != s.SystemAccount() {
2320+
return
2321+
}
23192322

23202323
js, cc := s.getJetStreamCluster()
23212324
if js == nil || cc == nil || cc.meta == nil {
@@ -2440,6 +2443,10 @@ func (s *Server) jsLeaderServerStreamMoveRequest(sub *subscription, c *client, _
24402443
accName := tokenAt(subject, 6)
24412444
streamName := tokenAt(subject, 7)
24422445

2446+
if acc.GetName() != accName && acc != s.SystemAccount() {
2447+
return
2448+
}
2449+
24432450
var resp = JSApiStreamUpdateResponse{ApiResponse: ApiResponse{Type: JSApiStreamUpdateResponseType}}
24442451

24452452
var req JSApiMetaServerStreamMoveRequest
@@ -2596,6 +2603,10 @@ func (s *Server) jsLeaderServerStreamCancelMoveRequest(sub *subscription, c *cli
25962603
accName := tokenAt(subject, 6)
25972604
streamName := tokenAt(subject, 7)
25982605

2606+
if acc.GetName() != accName && acc != s.SystemAccount() {
2607+
return
2608+
}
2609+
25992610
targetAcc, ok := s.accounts.Load(accName)
26002611
if !ok {
26012612
resp.Error = NewJSNoAccountError()
@@ -2682,6 +2693,9 @@ func (s *Server) jsLeaderAccountPurgeRequest(sub *subscription, c *client, _ *Ac
26822693
s.Warnf(badAPIRequestT, msg)
26832694
return
26842695
}
2696+
if acc != s.SystemAccount() {
2697+
return
2698+
}
26852699

26862700
js := s.getJetStream()
26872701
if js == nil {

0 commit comments

Comments
 (0)