lxd: Use retrieved volume name instead of user-provided name

Although of course this will be the same as the user-supplied name given GetStoragePoolVolume returns without error, using the retrieved name ensures code-analysis tools are able to track that we are not directly using user-provided values. If we don't do this, then CodeQL for example may assume we are not validating user-provided values which may be used in path expressions. Signed-off-by: Mark Bolton <[email protected]>
canonical · Sep 4, 2024 · 75dc34c · 75dc34c
1 parent e0ae8cf
commit 75dc34c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lxd/daemon_storage.go b/lxd/daemon_storage.go
@@ -175,7 +175,7 @@ func daemonStorageValidate(s *state.State, target string) error {
 			return fmt.Errorf("Storage volume %q in %q project is not filesystem content type", target, api.ProjectDefaultName)
 		}
 
-		snapshots, err = tx.GetLocalStoragePoolVolumeSnapshotsWithType(ctx, api.ProjectDefaultName, volumeName, cluster.StoragePoolVolumeTypeCustom, poolID)
+		snapshots, err = tx.GetLocalStoragePoolVolumeSnapshotsWithType(ctx, api.ProjectDefaultName, dbVol.Name, cluster.StoragePoolVolumeTypeCustom, poolID)
 		if err != nil {
 			return fmt.Errorf("Unable to load storage volume snapshots %q in %q project: %w", target, api.ProjectDefaultName, err)
 		}