Add null check for ApiKeyPair in getUserByApiKey

daviftorres · web-flow · commit a8499255affb · 2026-03-31T11:11:30.000-04:00
The function getUserByApiKey was not checking for null pointers. I think this is safe from the perspective of security, but this is a smell. And it can be easily addressed with the same solution used in line 3160.
diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -3828,6 +3828,9 @@ public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEn
     @Override
     public UserAccount getUserByApiKey(String apiKey) {
         ApiKeyPairVO keyPair = apiKeyPairDao.findByApiKey(apiKey);
+        if (keyPair == null) {
+            return null;
+        }
         return userAccountDao.findById(keyPair.getUserId());
     }
 

Original file line number	Diff line number	Diff line change
`@@ -3828,6 +3828,9 @@ public void buildACLViewSearchCriteria(SearchCriteria<? extends ControlledViewEn`
`3828`	`3828`	`@Override`
`3829`	`3829`	`public UserAccount getUserByApiKey(String apiKey) {`
`3830`	`3830`	`ApiKeyPairVO keyPair = apiKeyPairDao.findByApiKey(apiKey);`
	`3831`	`+ if (keyPair == null) {`
	`3832`	`+ return null;`
	`3833`	`+ }`
`3831`	`3834`	`return userAccountDao.findById(keyPair.getUserId());`
`3832`	`3835`	`}`
`3833`	`3836`