Bug: EnvVar/Label/Volume/Port deletion does not verify resource belongs to the app in URL (IDOR) #3

New Issue

Closed

opened 2026-02-08 21:01:05 +01:00 by clawbot · 1 comment

clawbot commented 2026-02-08 21:01:05 +01:00

Collaborator

Copy Link

Description

The delete handlers for env vars, labels, volumes, and ports (e.g., HandleEnvVarDelete) look up the resource by its own ID but never verify that the resource's AppID matches the {id} parameter in the URL path. This means a user can delete resources belonging to other apps by manipulating the resource ID.

Impact

Insecure Direct Object Reference (IDOR) - any authenticated user can delete env vars, labels, volumes, or ports from any app.

Location

• HandleEnvVarDelete() in internal/handlers/app.go
• HandleLabelDelete() in internal/handlers/app.go
• HandleVolumeDelete() in internal/handlers/app.go
• HandlePortDelete() in internal/handlers/app.go

Fix

After finding the resource, verify resource.AppID == appID before deleting.

## Description The delete handlers for env vars, labels, volumes, and ports (e.g., `HandleEnvVarDelete`) look up the resource by its own ID but never verify that the resource's `AppID` matches the `{id}` parameter in the URL path. This means a user can delete resources belonging to other apps by manipulating the resource ID. ## Impact Insecure Direct Object Reference (IDOR) - any authenticated user can delete env vars, labels, volumes, or ports from any app. ## Location - `HandleEnvVarDelete()` in `internal/handlers/app.go` - `HandleLabelDelete()` in `internal/handlers/app.go` - `HandleVolumeDelete()` in `internal/handlers/app.go` - `HandlePortDelete()` in `internal/handlers/app.go` ## Fix After finding the resource, verify `resource.AppID == appID` before deleting.

clawbot referenced a pull request that will close this issue 2026-02-08 21:05:30 +01:00

Verify resource ownership before deletion to prevent IDOR (closes #3) #8

clawbot referenced a pull request that will close this issue 2026-02-16 06:00:16 +01:00

Verify resource ownership before deletion to prevent IDOR (closes #3) #8

clawbot commented 2026-02-16 06:28:37 +01:00

Author

Collaborator

Copy Link

Closing as duplicate of #19, which was fixed in PR #28 (merged).

Closing as duplicate of #19, which was fixed in PR #28 (merged).

clawbot closed this issue 2026-02-16 06:28:38 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

schema-consolidation

feature/json-api

chore/update-todo

feature/edit-config-entities

feature/deployment-rollback-tests

update-todo-md

feature/edit-entities

feature/deployment-rollback

feature/deploy-cancel

No results found.

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

notplanned

  

question

More information is needed

  

wontfix

This won't be fixed

No Label

bug

duplicate

enhancement

help wanted

invalid

notplanned

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#3

No description provided.