conikeec · conikeec · Aug 8, 2024 · Aug 8, 2024 · Aug 8, 2024 · Aug 8, 2024
diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java
@@ -28,19 +28,30 @@ public class AdminController {
   private String fail = "redirect:/";
 
   // helper
-  private boolean isAdmin(String auth)
+	private boolean isAdmin(String auth)
   {
     try {
-      ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
-      ObjectInputStream objectInputStream = new ObjectInputStream(bis);
+      byte[] data = Base64.getDecoder().decode(auth);
+      ByteArrayInputStream bis = new ByteArrayInputStream(data);
+      ObjectInputStream objectInputStream = new CustomObjectInputStream(bis);
       Object authToken = objectInputStream.readObject();
+
+      if(!(authToken instanceof AuthToken)) {
+        throw new IllegalArgumentException("Invalid auth token type");
+      }
+
       return ((AuthToken) authToken).isAdmin();
     } catch (Exception ex) {
       System.out.println(" cookie cannot be deserialized: "+ex.getMessage());
       return false;
     }
   }
 
+      System.out.println(" cookie cannot be deserialized: "+ex.getMessage());
+      return false;
+    }
+  }
+
   //
   @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.POST)
   public String doPostPrintSecrets(HttpServletResponse response, HttpServletRequest request) {
@@ -135,3 +146,4 @@ public String doGetLogin(HttpServletResponse response, HttpServletRequest reques
     return "redirect:/";
   }
 }
+