[Fix-18182] [API] User can delete task definitions in unauthorized projects (#18183)

ruanwenjun · web-flow · commit 939439cd830e · 2026-04-20T13:53:09.000+08:00
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskDefinitionServiceImpl.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskDefinitionServiceImpl.java
@@ -615,7 +615,7 @@ public Map<String, Object> deleteByCodeAndVersion(User loginUser, long projectCo
         }
         TaskDefinition taskDefinition = taskDefinitionMapper.queryByCode(taskCode);
 
-        if (taskDefinition == null) {
+        if (taskDefinition == null || projectCode != taskDefinition.getProjectCode()) {
             log.error("Task definition does not exist, taskDefinitionCode:{}.", taskCode);
             putMsg(result, Status.TASK_DEFINE_NOT_EXIST, String.valueOf(taskCode));
         } else {
diff --git a/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/service/TaskDefinitionServiceImplTest.java b/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/service/TaskDefinitionServiceImplTest.java
@@ -180,6 +180,35 @@ public void switchVersion() {
         assertEquals(Status.SUCCESS, relation.get(Constants.STATUS));
     }
 
+    @Test
+    public void deleteByCodeAndVersion() {
+        Project project = getProject();
+        when(projectMapper.queryByCode(PROJECT_CODE)).thenReturn(project);
+        when(projectService.hasProjectAndWritePerm(user, project, new HashMap<>())).thenReturn(true);
+
+        // cross-project privilege escalation: taskCode belongs to another project - must be rejected
+        TaskDefinition otherProjectTask = new TaskDefinition();
+        otherProjectTask.setProjectCode(PROJECT_CODE + 1);
+        otherProjectTask.setCode(TASK_CODE);
+        otherProjectTask.setVersion(VERSION + 1);
+        when(taskDefinitionMapper.queryByCode(TASK_CODE)).thenReturn(otherProjectTask);
+        Map<String, Object> crossProjectResult =
+                taskDefinitionService.deleteByCodeAndVersion(user, PROJECT_CODE, TASK_CODE, VERSION);
+        assertEquals(Status.TASK_DEFINE_NOT_EXIST, crossProjectResult.get(Constants.STATUS));
+        Mockito.verify(taskDefinitionLogMapper, Mockito.never()).deleteByCodeAndVersion(TASK_CODE, VERSION);
+
+        // normal path: taskCode belongs to the project - should succeed
+        TaskDefinition taskDefinition = new TaskDefinition();
+        taskDefinition.setProjectCode(PROJECT_CODE);
+        taskDefinition.setCode(TASK_CODE);
+        taskDefinition.setVersion(VERSION + 1);
+        when(taskDefinitionMapper.queryByCode(TASK_CODE)).thenReturn(taskDefinition);
+        when(taskDefinitionLogMapper.deleteByCodeAndVersion(TASK_CODE, VERSION)).thenReturn(1);
+        Map<String, Object> successResult =
+                taskDefinitionService.deleteByCodeAndVersion(user, PROJECT_CODE, TASK_CODE, VERSION);
+        assertEquals(Status.SUCCESS, successResult.get(Constants.STATUS));
+    }
+
     private void putMsg(Map<String, Object> result, Status status, Object... statusParams) {
         result.put(Constants.STATUS, status);
         if (statusParams != null && statusParams.length > 0) {

Original file line number	Diff line number	Diff line change
`@@ -615,7 +615,7 @@ public Map<String, Object> deleteByCodeAndVersion(User loginUser, long projectCo`
`615`	`615`	`}`
`616`	`616`	`TaskDefinition taskDefinition = taskDefinitionMapper.queryByCode(taskCode);`
`617`	`617`
`618`		`- if (taskDefinition == null) {`
	`618`	`+ if (taskDefinition == null \|\| projectCode != taskDefinition.getProjectCode()) {`
`619`	`619`	`log.error("Task definition does not exist, taskDefinitionCode:{}.", taskCode);`
`620`	`620`	`putMsg(result, Status.TASK_DEFINE_NOT_EXIST, String.valueOf(taskCode));`
`621`	`621`	`} else {`