test: add failing test for task comment IDOR
Proves that a user can read a comment from an inaccessible task by supplying an accessible task ID in the URL. Comment 18 belongs to task 34 (owned by user 13), but testuser1 can read it via task 1. Ref: GHSA-mr3j-p26x-72x4
This commit is contained in:
parent
be0aaa7060
commit
2da89258e5
|
|
@ -311,3 +311,26 @@ func TestTaskComments(t *testing.T) {
|
|||
})
|
||||
})
|
||||
}
|
||||
|
||||
func TestTaskCommentIDOR(t *testing.T) {
|
||||
t.Run("Cannot read comment from inaccessible task via accessible task ID", func(t *testing.T) {
|
||||
// Comment 18 belongs to task 34 (owned by user 13, inaccessible to testuser1).
|
||||
// Task 1 is accessible to testuser1.
|
||||
// Requesting GET /tasks/1/comments/18 should fail because the comment
|
||||
// does not belong to task 1.
|
||||
testHandler := webHandlerTest{
|
||||
user: &testuser1,
|
||||
strFunc: func() handler.CObject {
|
||||
return &models.TaskComment{}
|
||||
},
|
||||
t: t,
|
||||
}
|
||||
|
||||
_, err := testHandler.testReadOneWithUser(nil, map[string]string{
|
||||
"task": "1", // task accessible to testuser1
|
||||
"commentid": "18", // comment belonging to task 34, NOT accessible to testuser1
|
||||
})
|
||||
assert.Error(t, err)
|
||||
assertHandlerErrorCode(t, err, models.ErrCodeTaskCommentDoesNotExist)
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue