From b8edc8f17f47222e439bbac8725758a02782e943 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 16:10:30 +0100 Subject: [PATCH] fix: prevent attachment IDOR by validating task_id in ReadOne (GHSA-jfmm-mjcp-8wq2) --- pkg/models/task_attachment.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/models/task_attachment.go b/pkg/models/task_attachment.go index 3f95f412a..294b4c384 100644 --- a/pkg/models/task_attachment.go +++ b/pkg/models/task_attachment.go @@ -108,7 +108,15 @@ func (ta *TaskAttachment) NewAttachment(s *xorm.Session, f io.ReadSeeker, realna // ReadOne returns a task attachment func (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) { - exists, err := s.Where("id = ?", ta.ID).Get(ta) + query := s.Where("id = ?", ta.ID).NoAutoCondition() + + // When TaskID is provided (e.g. from URL parameters), verify the attachment + // belongs to that task to prevent IDOR attacks. + if ta.TaskID != 0 { + query = query.And("task_id = ?", ta.TaskID) + } + + exists, err := query.Get(ta) if err != nil { return }