sneak/upaas
1
0
Fork 0
Code Issues 9 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

fix: add ownership verification on env var, label, volume, and port deletion

Browse Source 
Verify that the resource's AppID matches the URL path app ID before
allowing deletion. Without this check, any authenticated user could
delete resources belonging to any app by providing the target resource's
ID in the URL regardless of the app ID in the path (IDOR vulnerability).

Closes #19
This commit is contained in:
clawbot
2026-02-15 20:52:59 -08:00
parent 6475389280
commit 867cdf01ab
3 changed files with 48 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/handlers/app.go
View File

@@ -824,7 +824,7 @@ func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
}
envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
if findErr != nil || envVar == nil {
if findErr != nil || envVar == nil || envVar.AppID != appID {
http.NotFound(writer, request)
return
@@ -871,7 +871,7 @@ func (h *Handlers) HandleLabelDelete() http.HandlerFunc {
}
label, findErr := models.FindLabel(request.Context(), h.db, labelID)
if findErr != nil || label == nil {
if findErr != nil || label == nil || label.AppID != appID {
http.NotFound(writer, request)
return
@@ -949,7 +949,7 @@ func (h *Handlers) HandleVolumeDelete() http.HandlerFunc {
}
volume, findErr := models.FindVolume(request.Context(), h.db, volumeID)
if findErr != nil || volume == nil {
if findErr != nil || volume == nil || volume.AppID != appID {
http.NotFound(writer, request)
return
@@ -1039,7 +1039,7 @@ func (h *Handlers) HandlePortDelete() http.HandlerFunc {
}
port, findErr := models.FindPort(request.Context(), h.db, portID)
if findErr != nil || port == nil {
if findErr != nil || port == nil || port.AppID != appID {
http.NotFound(writer, request)
return