From 2da89258e53068253dcf8ef17d4dad141dba7d31 Mon Sep 17 00:00:00 2001 From: kolaente Date: Fri, 20 Mar 2026 10:12:27 +0100 Subject: [PATCH] test: add failing test for task comment IDOR Proves that a user can read a comment from an inaccessible task by supplying an accessible task ID in the URL. Comment 18 belongs to task 34 (owned by user 13), but testuser1 can read it via task 1. Ref: GHSA-mr3j-p26x-72x4 --- pkg/webtests/task_comment_test.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/pkg/webtests/task_comment_test.go b/pkg/webtests/task_comment_test.go index 8876845fb..b9e5cba1d 100644 --- a/pkg/webtests/task_comment_test.go +++ b/pkg/webtests/task_comment_test.go @@ -311,3 +311,26 @@ func TestTaskComments(t *testing.T) { }) }) } + +func TestTaskCommentIDOR(t *testing.T) { + t.Run("Cannot read comment from inaccessible task via accessible task ID", func(t *testing.T) { + // Comment 18 belongs to task 34 (owned by user 13, inaccessible to testuser1). + // Task 1 is accessible to testuser1. + // Requesting GET /tasks/1/comments/18 should fail because the comment + // does not belong to task 1. + testHandler := webHandlerTest{ + user: &testuser1, + strFunc: func() handler.CObject { + return &models.TaskComment{} + }, + t: t, + } + + _, err := testHandler.testReadOneWithUser(nil, map[string]string{ + "task": "1", // task accessible to testuser1 + "commentid": "18", // comment belonging to task 34, NOT accessible to testuser1 + }) + assert.Error(t, err) + assertHandlerErrorCode(t, err, models.ErrCodeTaskCommentDoesNotExist) + }) +}