From efbf536ceb528c5d77ae81f7951eff33d749885e Mon Sep 17 00:00:00 2001
From: liugq <silenceqi@hotmail.com>
Date: Thu, 14 Jul 2022 15:34:01 +0800
Subject: [PATCH] fixed security bugs

---
 plugin/api/index_management/indices.go | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/plugin/api/index_management/indices.go b/plugin/api/index_management/indices.go
index 1b2b53cc..271378e3 100644
--- a/plugin/api/index_management/indices.go
+++ b/plugin/api/index_management/indices.go
@@ -4,9 +4,9 @@ import (
 	log "github.com/cihub/seelog"
 	httprouter "infini.sh/framework/core/api/router"
 	"infini.sh/framework/core/elastic"
+	"infini.sh/framework/core/radix"
 	"infini.sh/framework/core/util"
 	"net/http"
-	"strings"
 )
 
 func (handler APIHandler) HandleGetMappingsAction(w http.ResponseWriter, req *http.Request, ps httprouter.Params) {
@@ -46,11 +46,7 @@ func (handler APIHandler) HandleGetIndicesAction(w http.ResponseWriter, req *htt
 		handler.WriteJSON(w, []interface{}{} , http.StatusOK)
 		return
 	}
-	strIndices := ""
-	if !hasAllPrivilege {
-		strIndices = strings.Join(allowedIndices, ",")
-	}
-	catIndices, err := client.GetIndices(strIndices)
+	catIndices, err := client.GetIndices("")
 	resBody := util.MapStr{}
 	if err != nil {
 		log.Error(err)
@@ -58,6 +54,16 @@ func (handler APIHandler) HandleGetIndicesAction(w http.ResponseWriter, req *htt
 		handler.WriteJSON(w, resBody, http.StatusInternalServerError)
 		return
 	}
+	if !hasAllPrivilege {
+		filterIndices := map[string]elastic.IndexInfo{}
+		pattern := radix.Compile(allowedIndices...)
+		for indexName, indexInfo := range *catIndices {
+			if pattern.Match(indexName){
+				filterIndices[indexName] = indexInfo
+			}
+		}
+		catIndices = &filterIndices
+	}
 	handler.WriteJSON(w, catIndices, http.StatusOK)
 }