vikunja

clone/vikunja

Fork 0

mirror of https://github.com/go-vikunja/vikunja.git synced 2026-05-29 23:19:48 +00:00

Commit Graph

Author	SHA1	Message	Date
kolaente	6a0f39b252	fix(security): enforce HTTP method and path in scoped API token matcher CanDoAPIRoute's non-CRUD fallback branch compared a path-derived permission name to the token's permission strings without checking the request method. A token with projects.background (registered for GET /projects/:project/background) could therefore invoke DELETE on the same path. The same method-confusion affected the whole /projects/:project/views/:view/buckets[/:bucket] cluster, where a token with projects.views_buckets (registered for GET) authorized PUT, POST, and DELETE on any accessible view's buckets. The matcher also leaked CRUD permissions between parent and nested sub-resource groups. When the request targeted a nested CRUD resource (e.g. projects_teams, projects_shares, projects_users, projects_views, projects_webhooks, projects_views_tasks, tasks_assignees, tasks_labels, tasks_comments, tasks_relations, tasks_attachments, teams_members), the matcher fell back from the specific group to the parent's permission list but then looked the permission name up inside the sub-resource's RouteDetail map. The effect was that a token holding only projects.read_all also authorized GET on every nested projects_* list endpoint, and the same held for create/update/delete and for the tasks.* family. Rewrite the matcher to iterate the token's own permissions and accept only when the stored RouteDetail's (Path, Method) matches the request. This removes all the path-derived group guessing and makes the stored detail the single source of truth. Preserve the tasks.read_all quirk (one permission, two list endpoints) as an explicit two-path allowlist inside the loop. Extract a GetAPITokenRoutes accessor so the new property-based webtest can consume the same snapshot served by GET /api/v1/routes. Add TestAPITokenMethodMatching in pkg/webtests: using the live echo router and the live apiTokenRoutes map, it iterates every advertised permission against every registered route and asserts the matcher accepts iff the stored (Path, Method) matches. Any future collision introduced by a new non-CRUD route on a shared path will be caught. After this change, previously-dead permissions like projects.background_delete, projects.views_buckets_{put,post,delete}, other.avatar, other.ws and caldav.access start working as their UI labels imply. Tokens that relied on the over-broad background / views_buckets grants, or on cross-cluster CRUD bleed-through, will lose the extra access - that is the fix. Refs: GHSA-v479-vf79-mg83	2026-04-09 15:17:20 +00:00

Author

SHA1

Message

Date

kolaente

6a0f39b252

fix(security): enforce HTTP method and path in scoped API token matcher

CanDoAPIRoute's non-CRUD fallback branch compared a path-derived
permission name to the token's permission strings without checking
the request method. A token with projects.background (registered for
GET /projects/:project/background) could therefore invoke DELETE on
the same path. The same method-confusion affected the whole
/projects/:project/views/:view/buckets[/:bucket] cluster, where a
token with projects.views_buckets (registered for GET) authorized
PUT, POST, and DELETE on any accessible view's buckets.

The matcher also leaked CRUD permissions between parent and nested
sub-resource groups. When the request targeted a nested CRUD resource
(e.g. projects_teams, projects_shares, projects_users, projects_views,
projects_webhooks, projects_views_tasks, tasks_assignees, tasks_labels,
tasks_comments, tasks_relations, tasks_attachments, teams_members),
the matcher fell back from the specific group to the parent's permission
list but then looked the permission name up inside the sub-resource's
RouteDetail map. The effect was that a token holding only projects.read_all
also authorized GET on every nested projects_* list endpoint, and the
same held for create/update/delete and for the tasks.* family.

Rewrite the matcher to iterate the token's own permissions and accept
only when the stored RouteDetail's (Path, Method) matches the request.
This removes all the path-derived group guessing and makes the stored
detail the single source of truth. Preserve the tasks.read_all quirk
(one permission, two list endpoints) as an explicit two-path allowlist
inside the loop.

Extract a GetAPITokenRoutes accessor so the new property-based webtest
can consume the same snapshot served by GET /api/v1/routes.

Add TestAPITokenMethodMatching in pkg/webtests: using the live echo
router and the live apiTokenRoutes map, it iterates every advertised
permission against every registered route and asserts the matcher
accepts iff the stored (Path, Method) matches. Any future collision
introduced by a new non-CRUD route on a shared path will be caught.

After this change, previously-dead permissions like
projects.background_delete, projects.views_buckets_{put,post,delete},
other.avatar, other.ws and caldav.access start working as their UI
labels imply. Tokens that relied on the over-broad background /
views_buckets grants, or on cross-cluster CRUD bleed-through, will
lose the extra access - that is the fix.

Refs: GHSA-v479-vf79-mg83

2026-04-09 15:17:20 +00:00

1 Commits