fix: verify comment belongs to task in URL to prevent IDOR
Add task_id check to getTaskCommentSimple so that a comment can only be loaded if it actually belongs to the task specified in the URL. Previously, any valid comment ID could be read through any accessible task endpoint. Ref: GHSA-mr3j-p26x-72x4
This commit is contained in:
parent
2da89258e5
commit
bc6d843ed4
|
|
@ -196,6 +196,7 @@ func (tc *TaskComment) Update(s *xorm.Session, _ web.Auth) error {
|
|||
func getTaskCommentSimple(s *xorm.Session, tc *TaskComment) error {
|
||||
exists, err := s.
|
||||
Where("id = ?", tc.ID).
|
||||
And("task_id = ?", tc.TaskID).
|
||||
NoAutoCondition().
|
||||
Get(tc)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Reference in New Issue