Return vague 404

Emyrk · Emyrk · commit 815baf96b475 · 2022-06-10T11:37:42.000-05:00
diff --git a/coderd/files.go b/coderd/files.go
@@ -87,7 +87,7 @@ func (api *API) fileByHash(rw http.ResponseWriter, r *http.Request) {
 	}
 	file, err := api.Database.GetFileByHash(r.Context(), hash)
 	if errors.Is(err, sql.ErrNoRows) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("File %q", hash))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 	if err != nil {
@@ -101,7 +101,7 @@ func (api *API) fileByHash(rw http.ResponseWriter, r *http.Request) {
 	if !api.Authorize(r, rbac.ActionRead,
 		rbac.ResourceFile.WithOwner(file.CreatedBy.String()).WithID(file.Hash)) {
 		// Return 404 to not leak the file exists
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("File %q", hash))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
diff --git a/coderd/gitsshkey.go b/coderd/gitsshkey.go
@@ -15,7 +15,7 @@ func (api *API) regenerateGitSSHKey(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
 	if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {
-		httpapi.Forbidden(rw)
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -64,7 +64,7 @@ func (api *API) gitSSHKey(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
 	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUserData.WithOwner(user.ID.String())) {
-		httpapi.Forbidden(rw)
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
diff --git a/coderd/httpapi/httpapi.go b/coderd/httpapi/httpapi.go
@@ -76,9 +76,11 @@ type Error struct {
 	Detail string `json:"detail" validate:"required"`
 }
 
-func ResourceNotFound(rw http.ResponseWriter, resource string) {
+// ResourceNotFound is intentionally vague. All 404 responses should be identical
+// to prevent leaking existence of resources.
+func ResourceNotFound(rw http.ResponseWriter) {
 	Write(rw, http.StatusNotFound, Response{
-		Message: fmt.Sprintf("%s does not exist.", resource),
+		Message: fmt.Sprintf("Resource not found"),
 	})
 }
 
diff --git a/coderd/httpmw/organizationparam.go b/coderd/httpmw/organizationparam.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"database/sql"
 	"errors"
-	"fmt"
 	"net/http"
 
 	"github.com/coder/coder/coderd/database"
@@ -45,7 +44,7 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler
 
 			organization, err := db.GetOrganizationByID(r.Context(), orgID)
 			if errors.Is(err, sql.ErrNoRows) {
-				httpapi.ResourceNotFound(rw, fmt.Sprintf("Organization %q", orgID))
+				httpapi.ResourceNotFound(rw)
 				return
 			}
 			if err != nil {
diff --git a/coderd/httpmw/templateparam.go b/coderd/httpmw/templateparam.go
@@ -47,7 +47,7 @@ func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler {
 			}
 
 			if template.Deleted {
-				httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q", templateID))
+				httpapi.ResourceNotFound(rw)
 				return
 			}
 
diff --git a/coderd/httpmw/templateversionparam.go b/coderd/httpmw/templateversionparam.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"database/sql"
 	"errors"
-	"fmt"
 	"net/http"
 
 	"github.com/go-chi/chi/v5"
@@ -34,7 +33,7 @@ func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Hand
 			}
 			templateVersion, err := db.GetTemplateVersionByID(r.Context(), templateVersionID)
 			if errors.Is(err, sql.ErrNoRows) {
-				httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersionID))
+				httpapi.ResourceNotFound(rw)
 				return
 			}
 			if err != nil {
diff --git a/coderd/httpmw/userparam.go b/coderd/httpmw/userparam.go
@@ -2,8 +2,11 @@ package httpmw
 
 import (
 	"context"
+	"database/sql"
 	"net/http"
 
+	"golang.org/x/xerrors"
+
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 
@@ -47,6 +50,10 @@ func ExtractUserParam(db database.Store) func(http.Handler) http.Handler {
 
 			if userQuery == "me" {
 				user, err = db.GetUserByID(r.Context(), APIKey(r).UserID)
+				if xerrors.Is(err, sql.ErrNoRows) {
+					httpapi.ResourceNotFound(rw)
+					return
+				}
 				if err != nil {
 					httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
 						Message: "Internal error fetching user.",
diff --git a/coderd/httpmw/workspacebuildparam.go b/coderd/httpmw/workspacebuildparam.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"database/sql"
 	"errors"
-	"fmt"
 	"net/http"
 
 	"github.com/go-chi/chi/v5"
@@ -34,7 +33,7 @@ func ExtractWorkspaceBuildParam(db database.Store) func(http.Handler) http.Handl
 			}
 			workspaceBuild, err := db.GetWorkspaceBuildByID(r.Context(), workspaceBuildID)
 			if errors.Is(err, sql.ErrNoRows) {
-				httpapi.ResourceNotFound(rw, fmt.Sprintf("Workspace build %q", workspaceBuildID))
+				httpapi.ResourceNotFound(rw)
 				return
 			}
 			if err != nil {
diff --git a/coderd/httpmw/workspaceparam.go b/coderd/httpmw/workspaceparam.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"database/sql"
 	"errors"
-	"fmt"
 	"net/http"
 
 	"github.com/coder/coder/coderd/database"
@@ -32,7 +31,7 @@ func ExtractWorkspaceParam(db database.Store) func(http.Handler) http.Handler {
 			}
 			workspace, err := db.GetWorkspaceByID(r.Context(), workspaceID)
 			if errors.Is(err, sql.ErrNoRows) {
-				httpapi.ResourceNotFound(rw, fmt.Sprintf("Workspace %q", workspaceID))
+				httpapi.ResourceNotFound(rw)
 				return
 			}
 			if err != nil {
diff --git a/coderd/organizations.go b/coderd/organizations.go
@@ -22,7 +22,7 @@ func (api *API) organization(rw http.ResponseWriter, r *http.Request) {
 	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceOrganization.
 		InOrg(organization.ID).
 		WithID(organization.ID.String())) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Organization %q", organization.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -33,8 +33,7 @@ func (api *API) postOrganizations(rw http.ResponseWriter, r *http.Request) {
 	apiKey := httpmw.APIKey(r)
 	// Create organization uses the organization resource without an OrgID.
 	// This means you need the site wide permission to make a new organization.
-	if !api.Authorize(r, rbac.ActionCreate,
-		rbac.ResourceOrganization) {
+	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceOrganization) {
 		httpapi.Forbidden(rw)
 		return
 	}
diff --git a/coderd/parameters.go b/coderd/parameters.go
@@ -27,7 +27,7 @@ func (api *API) postParameter(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if !api.Authorize(r, rbac.ActionUpdate, obj) {
-		httpapi.Forbidden(rw)
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -87,7 +87,7 @@ func (api *API) parameters(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	if !api.Authorize(r, rbac.ActionRead, obj) {
-		httpapi.Forbidden(rw)
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -124,7 +124,7 @@ func (api *API) deleteParameter(rw http.ResponseWriter, r *http.Request) {
 	}
 	// A deleted param is still updating the underlying resource for the scope.
 	if !api.Authorize(r, rbac.ActionUpdate, obj) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Parameter %q with scope %q", scopeID, scope))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -135,7 +135,7 @@ func (api *API) deleteParameter(rw http.ResponseWriter, r *http.Request) {
 		Name:    name,
 	})
 	if errors.Is(err, sql.ErrNoRows) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Parameter %q with scope %q", scopeID, scope))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 	if err != nil {
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -44,7 +44,7 @@ func (api *API) checkPermissions(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
 	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUser.WithID(user.ID.String())) {
-		httpapi.Forbidden(rw)
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
diff --git a/coderd/templates.go b/coderd/templates.go
@@ -29,7 +29,7 @@ func (api *API) template(rw http.ResponseWriter, r *http.Request) {
 	template := httpmw.TemplateParam(r)
 
 	if !api.Authorize(r, rbac.ActionRead, template) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q", template.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -56,7 +56,7 @@ func (api *API) template(rw http.ResponseWriter, r *http.Request) {
 func (api *API) deleteTemplate(rw http.ResponseWriter, r *http.Request) {
 	template := httpmw.TemplateParam(r)
 	if !api.Authorize(r, rbac.ActionDelete, template) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q", template.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -100,7 +100,7 @@ func (api *API) postTemplateByOrganization(rw http.ResponseWriter, r *http.Reque
 	var createTemplate codersdk.CreateTemplateRequest
 	organization := httpmw.OrganizationParam(r)
 	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceTemplate.InOrg(organization.ID)) {
-		httpapi.Forbidden(rw)
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -273,7 +273,7 @@ func (api *API) templateByOrganizationAndName(rw http.ResponseWriter, r *http.Re
 	})
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
-			httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q in organization %q", templateName, organization.Name))
+			httpapi.ResourceNotFound(rw)
 			return
 		}
 
@@ -285,7 +285,7 @@ func (api *API) templateByOrganizationAndName(rw http.ResponseWriter, r *http.Re
 	}
 
 	if !api.Authorize(r, rbac.ActionRead, template) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q in organization %q", templateName, organization.Name))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -312,7 +312,7 @@ func (api *API) templateByOrganizationAndName(rw http.ResponseWriter, r *http.Re
 func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 	template := httpmw.TemplateParam(r)
 	if !api.Authorize(r, rbac.ActionUpdate, template) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q", template.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
diff --git a/coderd/templateversions.go b/coderd/templateversions.go
@@ -23,7 +23,7 @@ import (
 func (api *API) templateVersion(rw http.ResponseWriter, r *http.Request) {
 	templateVersion := httpmw.TemplateVersionParam(r)
 	if !api.Authorize(r, rbac.ActionRead, templateVersion) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersion.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -42,7 +42,7 @@ func (api *API) templateVersion(rw http.ResponseWriter, r *http.Request) {
 func (api *API) patchCancelTemplateVersion(rw http.ResponseWriter, r *http.Request) {
 	templateVersion := httpmw.TemplateVersionParam(r)
 	if !api.Authorize(r, rbac.ActionUpdate, templateVersion) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersion.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -88,7 +88,7 @@ func (api *API) patchCancelTemplateVersion(rw http.ResponseWriter, r *http.Reque
 func (api *API) templateVersionSchema(rw http.ResponseWriter, r *http.Request) {
 	templateVersion := httpmw.TemplateVersionParam(r)
 	if !api.Authorize(r, rbac.ActionRead, templateVersion) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersion.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -136,7 +136,7 @@ func (api *API) templateVersionParameters(rw http.ResponseWriter, r *http.Reques
 	apiKey := httpmw.APIKey(r)
 	templateVersion := httpmw.TemplateVersionParam(r)
 	if !api.Authorize(r, rbac.ActionRead, templateVersion) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersion.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -180,14 +180,14 @@ func (api *API) postTemplateVersionDryRun(rw http.ResponseWriter, r *http.Reques
 	apiKey := httpmw.APIKey(r)
 	templateVersion := httpmw.TemplateVersionParam(r)
 	if !api.Authorize(r, rbac.ActionRead, templateVersion) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersion.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 	// We use the workspace RBAC check since we don't want to allow dry runs if
 	// the user can't create workspaces.
 	if !api.Authorize(r, rbac.ActionCreate,
 		rbac.ResourceWorkspace.InOrg(templateVersion.OrganizationID).WithOwner(apiKey.UserID.String())) {
-		httpapi.Forbidden(rw)
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -301,7 +301,7 @@ func (api *API) patchTemplateVersionDryRunCancel(rw http.ResponseWriter, r *http
 	}
 	if !api.Authorize(r, rbac.ActionUpdate,
 		rbac.ResourceWorkspace.InOrg(templateVersion.OrganizationID).WithOwner(job.InitiatorID.String())) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersion.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -344,7 +344,7 @@ func (api *API) fetchTemplateVersionDryRunJob(rw http.ResponseWriter, r *http.Re
 		jobID           = chi.URLParam(r, "jobID")
 	)
 	if !api.Authorize(r, rbac.ActionRead, templateVersion) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersion.ID))
+		httpapi.ResourceNotFound(rw)
 		return database.ProvisionerJob{}, false
 	}
 
@@ -403,7 +403,7 @@ func (api *API) fetchTemplateVersionDryRunJob(rw http.ResponseWriter, r *http.Re
 func (api *API) templateVersionsByTemplate(rw http.ResponseWriter, r *http.Request) {
 	template := httpmw.TemplateParam(r)
 	if !api.Authorize(r, rbac.ActionRead, template) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q", template.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -491,7 +491,7 @@ func (api *API) templateVersionsByTemplate(rw http.ResponseWriter, r *http.Reque
 func (api *API) templateVersionByName(rw http.ResponseWriter, r *http.Request) {
 	template := httpmw.TemplateParam(r)
 	if !api.Authorize(r, rbac.ActionRead, template) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q", template.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -531,7 +531,7 @@ func (api *API) templateVersionByName(rw http.ResponseWriter, r *http.Request) {
 func (api *API) patchActiveTemplateVersion(rw http.ResponseWriter, r *http.Request) {
 	template := httpmw.TemplateParam(r)
 	if !api.Authorize(r, rbac.ActionUpdate, template) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q", template.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -618,12 +618,12 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht
 
 	// Making a new template version is the same permission as creating a new template.
 	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceTemplate.InOrg(organization.ID)) {
-		httpapi.Forbidden(rw)
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
 	if !api.Authorize(r, rbac.ActionRead, file) {
-		httpapi.Forbidden(rw)
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -705,7 +705,7 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht
 func (api *API) templateVersionResources(rw http.ResponseWriter, r *http.Request) {
 	templateVersion := httpmw.TemplateVersionParam(r)
 	if !api.Authorize(r, rbac.ActionRead, templateVersion) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersion.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
@@ -727,7 +727,7 @@ func (api *API) templateVersionResources(rw http.ResponseWriter, r *http.Request
 func (api *API) templateVersionLogs(rw http.ResponseWriter, r *http.Request) {
 	templateVersion := httpmw.TemplateVersionParam(r)
 	if !api.Authorize(r, rbac.ActionRead, templateVersion) {
-		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %q", templateVersion.ID))
+		httpapi.ResourceNotFound(rw)
 		return
 	}
 
diff --git a/coderd/users.go b/coderd/users.go
diff --git a/coderd/workspaceapps.go b/coderd/workspaceapps.go
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
diff --git a/coderd/workspaceresources.go b/coderd/workspaceresources.go
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
diff --git a/coderd/workspaces_test.go b/coderd/workspaces_test.go

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ func (api API) fileByHash(rw http.ResponseWriter, r http.Request) {`
`87`	`87`	`}`
`88`	`88`	`file, err := api.Database.GetFileByHash(r.Context(), hash)`
`89`	`89`	`if errors.Is(err, sql.ErrNoRows) {`
`90`		`- httpapi.ResourceNotFound(rw, fmt.Sprintf("File %q", hash))`
	`90`	`+ httpapi.ResourceNotFound(rw)`
`91`	`91`	`return`
`92`	`92`	`}`
`93`	`93`	`if err != nil {`
`@@ -101,7 +101,7 @@ func (api API) fileByHash(rw http.ResponseWriter, r http.Request) {`
`101`	`101`	`if !api.Authorize(r, rbac.ActionRead,`
`102`	`102`	`rbac.ResourceFile.WithOwner(file.CreatedBy.String()).WithID(file.Hash)) {`
`103`	`103`	`// Return 404 to not leak the file exists`
`104`		`- httpapi.ResourceNotFound(rw, fmt.Sprintf("File %q", hash))`
	`104`	`+ httpapi.ResourceNotFound(rw)`
`105`	`105`	`return`
`106`	`106`	`}`
`107`	`107`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ func (api API) regenerateGitSSHKey(rw http.ResponseWriter, r http.Request) {`
`15`	`15`	`user := httpmw.UserParam(r)`
`16`	`16`
`17`	`17`	`if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {`
`18`		`- httpapi.Forbidden(rw)`
	`18`	`+ httpapi.ResourceNotFound(rw)`
`19`	`19`	`return`
`20`	`20`	`}`
`21`	`21`
`@@ -64,7 +64,7 @@ func (api API) gitSSHKey(rw http.ResponseWriter, r http.Request) {`
`64`	`64`	`user := httpmw.UserParam(r)`
`65`	`65`
`66`	`66`	`if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUserData.WithOwner(user.ID.String())) {`
`67`		`- httpapi.Forbidden(rw)`
	`67`	`+ httpapi.ResourceNotFound(rw)`
`68`	`68`	`return`
`69`	`69`	`}`
`70`	`70`
Original file line number	Diff line number	Diff line change
`@@ -76,9 +76,11 @@ type Error struct {`
`76`	`76`	Detail string `json:"detail" validate:"required"`
`77`	`77`	`}`
`78`	`78`
`79`		`-func ResourceNotFound(rw http.ResponseWriter, resource string) {`
	`79`	`+// ResourceNotFound is intentionally vague. All 404 responses should be identical`
	`80`	`+// to prevent leaking existence of resources.`
	`81`	`+func ResourceNotFound(rw http.ResponseWriter) {`
`80`	`82`	`Write(rw, http.StatusNotFound, Response{`
`81`		`- Message: fmt.Sprintf("%s does not exist.", resource),`
	`83`	`+ Message: fmt.Sprintf("Resource not found"),`
`82`	`84`	`})`
`83`	`85`	`}`
`84`	`86`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler {`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`if template.Deleted {`
`50`		`- httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %q", templateID))`
	`50`	`+ httpapi.ResourceNotFound(rw)`
`51`	`51`	`return`
`52`	`52`	`}`
`53`	`53`