BSR

oharsta · oharsta · commit e280ce32b8ec · 2026-02-02T16:22:18.000+01:00
diff --git a/server/src/main/java/invite/api/ManageController.java b/server/src/main/java/invite/api/ManageController.java
@@ -29,6 +29,7 @@
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -161,10 +162,20 @@ public ResponseEntity<Map<String, List<Map<String, Object>>>> applications(@Para
                 .toList());
         return ResponseEntity.ok(Map.of(
                 "providers", providers,
-                "provisionings", provisionings
+                "provisionings", sanitizeProvisionings(provisionings)
         ));
     }
 
+    private List<Map<String, Object>> sanitizeProvisionings(List<Map<String, Object>> provisionings) {
+        List<String> allowedAttributes = List.of("applications", "name:en", "provisioning_type", "name:nl");
+        return provisionings.stream().map(provisioning -> {
+                    Map<String, Object> sanitized = new HashMap<>();
+                    allowedAttributes.forEach(attr -> sanitized.put(attr, provisioning.get(attr)));
+                    return sanitized;
+                }
+        ).toList();
+    }
+
     @GetMapping("/provisionings/{id}")
     public ResponseEntity<Boolean> provisionings(@PathVariable("id") String id,
                                                  @Parameter(hidden = true) User user) {
diff --git a/server/src/test/java/invite/api/ManageControllerTest.java b/server/src/test/java/invite/api/ManageControllerTest.java
@@ -44,7 +44,9 @@ void applications() throws Exception {
                 .as(new TypeRef<>() {
                 });
         assertEquals(5, result.get("providers").size());
-        assertEquals(4, result.get("provisionings").size());
+        List<Map<String, Object>> provisionings = result.get("provisionings");
+        assertEquals(4, provisionings.size());
+        provisionings.forEach(provisioning -> assertTrue(provisioning.size() < 5));
 
         List<LoggedRequest> loggedRequestsForSP = findAll(postRequestedFor(urlPathMatching("/manage/api/internal/rawSearch/saml20_sp")));
         assertEquals(1, loggedRequestsForSP.size());
