Add ownership verification on resource deletion (closes #19) #28

Merged

sneak merged 2 commits from :fix/ownership-verification-on-delete into main

2026-02-16 06:12:52 +01:00

Author	SHA1	Message	Date
clawbot	867cdf01ab	fix: add ownership verification on env var, label, volume, and port deletion Verify that the resource's AppID matches the URL path app ID before allowing deletion. Without this check, any authenticated user could delete resources belonging to any app by providing the target resource's ID in the URL regardless of the app ID in the path (IDOR vulnerability). Closes #19	2026-02-15 21:02:46 -08:00
clawbot	6475389280	test: add IDOR tests for resource deletion ownership verification Tests demonstrate that env vars, labels, volumes, and ports can be deleted via another app's URL path without ownership checks. All 4 tests fail, confirming the vulnerability described in #19.	2026-02-15 21:00:41 -08:00

Author

SHA1

Message

Date

clawbot

867cdf01ab

fix: add ownership verification on env var, label, volume, and port deletion

Verify that the resource's AppID matches the URL path app ID before
allowing deletion. Without this check, any authenticated user could
delete resources belonging to any app by providing the target resource's
ID in the URL regardless of the app ID in the path (IDOR vulnerability).

Closes #19

2026-02-15 21:02:46 -08:00

clawbot

6475389280

test: add IDOR tests for resource deletion ownership verification

Tests demonstrate that env vars, labels, volumes, and ports can be
deleted via another app's URL path without ownership checks.

All 4 tests fail, confirming the vulnerability described in #19.

2026-02-15 21:00:41 -08:00

Add ownership verification on resource deletion (closes #19) #28

2 Commits