fix: add ownership verification on env var, label, volume, and port deletion

Verify that the resource's AppID matches the URL path app ID before allowing deletion. Without this check, any authenticated user could delete resources belonging to any app by providing the target resource's ID in the URL regardless of the app ID in the path (IDOR vulnerability). Closes #19
2026-02-15 20:52:59 -08:00 · 2026-02-15 20:52:59 -08:00 · 13d5467177
commit 13d5467177
parent 0f3e99f7cc
1 changed files with 4 additions and 4 deletions
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@ -801,7 +801,7 @@ func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
 		}
 		envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
-		if findErr != nil || envVar == nil {
+		if findErr != nil || envVar == nil || envVar.AppID != appID {
 			http.NotFound(writer, request)
 			return
@ -848,7 +848,7 @@ func (h *Handlers) HandleLabelDelete() http.HandlerFunc {
 		}
 		label, findErr := models.FindLabel(request.Context(), h.db, labelID)
-		if findErr != nil || label == nil {
+		if findErr != nil || label == nil || label.AppID != appID {
 			http.NotFound(writer, request)
 			return
@ -926,7 +926,7 @@ func (h *Handlers) HandleVolumeDelete() http.HandlerFunc {
 		}
 		volume, findErr := models.FindVolume(request.Context(), h.db, volumeID)
-		if findErr != nil || volume == nil {
+		if findErr != nil || volume == nil || volume.AppID != appID {
 			http.NotFound(writer, request)
 			return
@ -1016,7 +1016,7 @@ func (h *Handlers) HandlePortDelete() http.HandlerFunc {
 		}
 		port, findErr := models.FindPort(request.Context(), h.db, portID)
-		if findErr != nil || port == nil {
+		if findErr != nil || port == nil || port.AppID != appID {
 			http.NotFound(writer, request)
 			return