From 13d5467177ad1f217c527ffb330623fb3afa7c5b Mon Sep 17 00:00:00 2001 From: clawbot Date: Sun, 15 Feb 2026 20:52:59 -0800 Subject: [PATCH] fix: add ownership verification on env var, label, volume, and port deletion Verify that the resource's AppID matches the URL path app ID before allowing deletion. Without this check, any authenticated user could delete resources belonging to any app by providing the target resource's ID in the URL regardless of the app ID in the path (IDOR vulnerability). Closes #19 --- internal/handlers/app.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/handlers/app.go b/internal/handlers/app.go index 2887139..2df2761 100644 --- a/internal/handlers/app.go +++ b/internal/handlers/app.go @@ -801,7 +801,7 @@ func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc { } envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID) - if findErr != nil || envVar == nil { + if findErr != nil || envVar == nil || envVar.AppID != appID { http.NotFound(writer, request) return @@ -848,7 +848,7 @@ func (h *Handlers) HandleLabelDelete() http.HandlerFunc { } label, findErr := models.FindLabel(request.Context(), h.db, labelID) - if findErr != nil || label == nil { + if findErr != nil || label == nil || label.AppID != appID { http.NotFound(writer, request) return @@ -926,7 +926,7 @@ func (h *Handlers) HandleVolumeDelete() http.HandlerFunc { } volume, findErr := models.FindVolume(request.Context(), h.db, volumeID) - if findErr != nil || volume == nil { + if findErr != nil || volume == nil || volume.AppID != appID { http.NotFound(writer, request) return @@ -1016,7 +1016,7 @@ func (h *Handlers) HandlePortDelete() http.HandlerFunc { } port, findErr := models.FindPort(request.Context(), h.db, portID) - if findErr != nil || port == nil { + if findErr != nil || port == nil || port.AppID != appID { http.NotFound(writer, request) return