From bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd Mon Sep 17 00:00:00 2001 From: kolaente Date: Fri, 20 Mar 2026 10:13:20 +0100 Subject: [PATCH] fix: verify comment belongs to task in URL to prevent IDOR Add task_id check to getTaskCommentSimple so that a comment can only be loaded if it actually belongs to the task specified in the URL. Previously, any valid comment ID could be read through any accessible task endpoint. Ref: GHSA-mr3j-p26x-72x4 --- pkg/models/task_comments.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/models/task_comments.go b/pkg/models/task_comments.go index 45f9f8f23..648a6fc9e 100644 --- a/pkg/models/task_comments.go +++ b/pkg/models/task_comments.go @@ -196,6 +196,7 @@ func (tc *TaskComment) Update(s *xorm.Session, _ web.Auth) error { func getTaskCommentSimple(s *xorm.Session, tc *TaskComment) error { exists, err := s. Where("id = ?", tc.ID). + And("task_id = ?", tc.TaskID). NoAutoCondition(). Get(tc) if err != nil {