fix: verify comment belongs to task in URL to prevent IDOR

Add task_id check to getTaskCommentSimple so that a comment can only
be loaded if it actually belongs to the task specified in the URL.
Previously, any valid comment ID could be read through any accessible
task endpoint.

Ref: GHSA-mr3j-p26x-72x4
This commit is contained in:
kolaente 2026-03-20 10:13:20 +01:00 committed by kolaente
parent 2da89258e5
commit bc6d843ed4
1 changed files with 1 additions and 0 deletions

View File

@ -196,6 +196,7 @@ func (tc *TaskComment) Update(s *xorm.Session, _ web.Auth) error {
func getTaskCommentSimple(s *xorm.Session, tc *TaskComment) error {
exists, err := s.
Where("id = ?", tc.ID).
And("task_id = ?", tc.TaskID).
NoAutoCondition().
Get(tc)
if err != nil {