sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Add ownership verification on resource deletion (closes #19) #28

Merged
sneak merged 2 commits from :fix/ownership-verification-on-delete into main 2026-02-16 06:12:52 +01:00
Conversation 6 Commits 2 Files Changed 2 +48 -40
3 changed files with 48 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 867cdf01ab - Show all commits

8
internal/handlers/app.go
View File

@ -824,7 +824,7 @@ func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
}
envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
if findErr != nil || envVar == nil {
if findErr != nil || envVar == nil || envVar.AppID != appID {
http.NotFound(writer, request)
return
@ -871,7 +871,7 @@ func (h *Handlers) HandleLabelDelete() http.HandlerFunc {
}
label, findErr := models.FindLabel(request.Context(), h.db, labelID)
if findErr != nil || label == nil {
if findErr != nil || label == nil || label.AppID != appID {
http.NotFound(writer, request)
return
@ -949,7 +949,7 @@ func (h *Handlers) HandleVolumeDelete() http.HandlerFunc {
}
volume, findErr := models.FindVolume(request.Context(), h.db, volumeID)
if findErr != nil || volume == nil {
if findErr != nil || volume == nil || volume.AppID != appID {
http.NotFound(writer, request)
return
@ -1039,7 +1039,7 @@ func (h *Handlers) HandlePortDelete() http.HandlerFunc {
}
port, findErr := models.FindPort(request.Context(), h.db, portID)
if findErr != nil || port == nil {
if findErr != nil || port == nil || port.AppID != appID {
http.NotFound(writer, request)
return

10
internal/handlers/handlers_test.go
View File

@ -452,7 +452,7 @@ func createTestApp(
// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
// via another app's URL path returns 404 (IDOR prevention).
func TestDeleteEnvVarOwnershipVerification(t *testing.T) {
func TestHandleWebhookRejectsOversizedBody(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
@ -491,6 +491,14 @@ func TestDeleteEnvVarOwnershipVerification(t *testing.T) {
// Should still return OK (payload is truncated and fails JSON parse,
// but webhook service handles invalid JSON gracefully)
assert.Equal(t, http.StatusOK, recorder.Code)
}
// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
// via another app's URL path returns 404 (IDOR prevention).
func TestDeleteEnvVarOwnershipVerification(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
app1 := createTestApp(t, testCtx, "envvar-owner-app")
app2 := createTestApp(t, testCtx, "envvar-other-app")

2
internal/server/routes.go
View File

@ -46,7 +46,7 @@ func (s *Server) SetupRoutes() {
// Public routes
r.Get("/login", s.handlers.HandleLoginGET())
r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleLoginPOST())
r.Post("/login", s.handlers.HandleLoginPOST())
r.Get("/setup", s.handlers.HandleSetupGET())
r.Post("/setup", s.handlers.HandleSetupPOST())