IOC edit silently drops Source Reference: update() never calls setSourceRef() #8

Open
opened 2026-07-01 12:21:29 -04:00 by hiveiq · 0 comments
Owner

Summary

ThreatIocController.update (PUT /api/aria/ioc/{id}) updates value, description, confidence, and expiresAt but never applies sourceRef from the request. Editing an IOC's Source Reference in the UI silently no-ops — the field keeps its old value with no error shown to the user.

Confirmed code refs

  • src/main/java/com/hiveops/aria/controller/ThreatIocController.javaupdate(Long id, CreateIocRequest request), lines 63-71. Body sets:
    • ioc.setValue(...) (65)
    • ioc.setDescription(...) (66)
    • ioc.setConfidence(...) (67)
    • ioc.setExpiresAt(...) (68)
    • No ioc.setSourceRef(request.getSourceRef()) — the field is silently ignored on save.
  • For contrast, create() (line 53) does set .sourceRef(request.getSourceRef()), and CreateIocRequest exposes sourceRef (line 90).
  • Entity supports it: src/main/java/com/hiveops/aria/entity/ThreatIoc.java:36private String sourceRef;.
  • Frontend proves the field is submitted on edit: frontend/src/components/IocManagement.svelte — edit form pre-fills sourceRef (line 91), builds a single payload including sourceRef: form.sourceRef.trim() || undefined (line 114), and sends it via ariaApi.updateIoc(...) on edit (line 119). The input is bound at line 332.

Impact

A BCOS_ADMIN editing an IOC and changing "Source Reference" (e.g. correcting an "FBI FLASH AC-000265-TT" citation) sees a success toast ("IOC updated") but the change is never persisted. Silent data-loss on one edit field; misleading UX. No security/scoping implications.

Suggested fix

Add the missing setter in update():

ioc.setSourceRef(request.getSourceRef());

placed alongside the other ioc.set... calls (after line 66/68). Optionally match confidence's null-preserving semantics if partial updates are desired, but for consistency with the create path a straight set is appropriate.

Verified against code via the guide KB verification pass.

## Summary `ThreatIocController.update` (PUT `/api/aria/ioc/{id}`) updates value, description, confidence, and expiresAt but never applies `sourceRef` from the request. Editing an IOC's Source Reference in the UI silently no-ops — the field keeps its old value with no error shown to the user. ## Confirmed code refs - `src/main/java/com/hiveops/aria/controller/ThreatIocController.java` — `update(Long id, CreateIocRequest request)`, lines 63-71. Body sets: - `ioc.setValue(...)` (65) - `ioc.setDescription(...)` (66) - `ioc.setConfidence(...)` (67) - `ioc.setExpiresAt(...)` (68) - **No `ioc.setSourceRef(request.getSourceRef())`** — the field is silently ignored on save. - For contrast, `create()` (line 53) does set `.sourceRef(request.getSourceRef())`, and `CreateIocRequest` exposes `sourceRef` (line 90). - Entity supports it: `src/main/java/com/hiveops/aria/entity/ThreatIoc.java:36` — `private String sourceRef;`. - Frontend proves the field is submitted on edit: `frontend/src/components/IocManagement.svelte` — edit form pre-fills `sourceRef` (line 91), builds a single `payload` including `sourceRef: form.sourceRef.trim() || undefined` (line 114), and sends it via `ariaApi.updateIoc(...)` on edit (line 119). The input is bound at line 332. ## Impact A BCOS_ADMIN editing an IOC and changing "Source Reference" (e.g. correcting an "FBI FLASH AC-000265-TT" citation) sees a success toast ("IOC updated") but the change is never persisted. Silent data-loss on one edit field; misleading UX. No security/scoping implications. ## Suggested fix Add the missing setter in `update()`: ```java ioc.setSourceRef(request.getSourceRef()); ``` placed alongside the other `ioc.set...` calls (after line 66/68). Optionally match `confidence`'s null-preserving semantics if partial updates are desired, but for consistency with the create path a straight set is appropriate. _Verified against code via the guide KB verification pass._
hiveiq added the Bug
Priority
Medium
labels 2026-07-01 12:21:29 -04:00
johannes was assigned by hiveiq 2026-07-01 12:21:29 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: hiveiq-src/hiveops-aria#8