Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix IDOR Security Vulnerability on /api/resources/get/{resource_id} #1448

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix IDOR Security Vulnerability on /api/resources/get/{resource_id} #1448

wants to merge 2 commits into from

Conversation

r0path
Copy link

@r0path r0path commented Jan 17, 2025

Description

Our ZeroPath.com code security tool has found a broken authentication flaw enabling us to view tens of thousands of customers' files (via the publically hosted version). It enabled us to access secrets, business documents, and health information belonging to other users. We have created a patch to enforce authorization when fetching a resource.

We created this PR because we were unable to find a maintainer or a relevant security contact.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Docs update

Checklist

  • My pull request is atomic and focuses on a single change.
  • I have read the contributing guide and my code conforms to the guidelines.
  • I have documented my changes clearly and comprehensively.
  • I have added the required tests.

ZeroPath and others added 2 commits January 17, 2025 09:23
fix: Add permission checks to prevent IDOR vulnerability in file down…
e0b99b2 
…load
@r0path
Merge pull request #1 from r0path/zvuln_fix_insecure_direct_object_re…
6cd85ef 
…ference_idor_1737105809757082

Title: Fix authorization flaw in `download_file_by_id` function to ensure proper user access validation for resource downloads.
@r0path
Copy link
Author

r0path commented Jan 22, 2025

@ak-gupta89 Thanks for reviewing this. I dont think I can submit it. Let me know if there's additional steps or reviewal required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ak-gupta89 ak-gupta89 ak-gupta89 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@r0path @ak-gupta89