fix: prevent attachment IDOR by validating task_id in ReadOne (GHSA-jfmm-mjcp-8wq2)

This commit is contained in:
kolaente 2026-03-23 16:10:30 +01:00 committed by kolaente
parent 3111f3d70c
commit b8edc8f17f
1 changed files with 9 additions and 1 deletions

View File

@ -108,7 +108,15 @@ func (ta *TaskAttachment) NewAttachment(s *xorm.Session, f io.ReadSeeker, realna
// ReadOne returns a task attachment
func (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {
exists, err := s.Where("id = ?", ta.ID).Get(ta)
query := s.Where("id = ?", ta.ID).NoAutoCondition()
// When TaskID is provided (e.g. from URL parameters), verify the attachment
// belongs to that task to prevent IDOR attacks.
if ta.TaskID != 0 {
query = query.And("task_id = ?", ta.TaskID)
}
exists, err := query.Get(ta)
if err != nil {
return
}