Fix Unauthorised template/ISO list access to the domain/resource admins

nvazquez · bernardodemarco · Daan Hoogland · commit ebc1244098bd · 2025-05-27T16:13:01.000+02:00
In Apache CloudStack, while using the listTemplates and listIsos APIs, Domain Admins and Resource Admins can retrieve templates and ISOs outside their authorized scope when specifying the domainid parameter and the self or selfexecutable values in filter parameter. This results in unintended leakage of information related to those templates and ISOs. However, this issue does not affect accounts of the type User.

Co-authored-by: bernardodemarco &lt;bernardomg2004@gmail.com&gt;
Co-authored-by: nvazquez &lt;nicovazquez90@gmail.com&gt;
diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
@@ -4572,7 +4572,7 @@ else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN)
             if (!permittedAccounts.isEmpty()) {
                 domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());
             } else {
-                domain = _domainDao.findById(Domain.ROOT_DOMAIN);
+                domain = _domainDao.findById(caller.getDomainId());
             }
 
             setIdsListToSearchCriteria(sc, ids);

Original file line number	Diff line number	Diff line change
`@@ -4572,7 +4572,7 @@ else if (!template.isPublicTemplate() && caller.getType() != Account.Type.ADMIN)`
`4572`	`4572`	`if (!permittedAccounts.isEmpty()) {`
`4573`	`4573`	`domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());`
`4574`	`4574`	`} else {`
`4575`		`- domain = _domainDao.findById(Domain.ROOT_DOMAIN);`
	`4575`	`+ domain = _domainDao.findById(caller.getDomainId());`
`4576`	`4576`	`}`
`4577`	`4577`
`4578`	`4578`	`setIdsListToSearchCriteria(sc, ids);`