Skip to content

Fix IDOR in link management endpoints#975

Open
az10b wants to merge 1 commit intoLinkStackOrg:mainfrom
az10b:fix/idor-link-ownership
Open

Fix IDOR in link management endpoints#975
az10b wants to merge 1 commit intoLinkStackOrg:mainfrom
az10b:fix/idor-link-ownership

Conversation

@az10b
Copy link
Copy Markdown

@az10b az10b commented Apr 10, 2026

Summary

Three link management endpoints accept user-supplied link IDs without verifying the authenticated user owns the targeted link, allowing any registered user to modify other users' links.

  • POST /studio/edit-link (saveLink): Added ownership check — aborts 403 if link belongs to another user
  • POST /studio/sort-link (sortLinks): Added user_id where clause so updates only affect the authenticated user's links
  • GET /clearIcon/{id}: Added existing link-id middleware to the route

Steps to reproduce

  1. Create two user accounts (A and B), each with at least one link
  2. Login as user A
  3. Open browser console and POST to /studio/edit-link with user B's link ID:
fetch('/studio/edit-link', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
    'X-CSRF-TOKEN': document.querySelector('meta[name="csrf-token"]').content
  },
  body: new URLSearchParams({
    linkid: '<USER_B_LINK_ID>',
    link: 'https://evil-site.com',
    title: 'Modified',
    typename: 'link',
    button: 'custom_website'
  })
}).then(r => console.log('Status:', r.status))
  1. Before fix: user B's link is overwritten. After fix: 403 Forbidden.

Test plan

  • Verified saveLink returns 403 when targeting another user's link
  • Verified sortLinks silently ignores link IDs not owned by the user
  • Verified clearIcon returns 403 via link-id middleware
  • Verified normal link editing/sorting/icon clearing still works for the link owner

Fix IDOR in link management endpoints
35b66f2 
Three link management endpoints accept user-supplied link IDs
without verifying ownership, allowing any authenticated user to
modify other users' links:

- POST /studio/edit-link (saveLink): add ownership check before update
- POST /studio/sort-link (sortLinks): add user_id where clause
- GET /clearIcon/{id}: add existing link-id middleware to route
@JulianPrieber
Copy link
Copy Markdown
Member

JulianPrieber commented Apr 10, 2026

@lastsamurai26 needs testing.
If possible we'll move this before beta, we'll merge it to mainline.

@lastsamurai26
Copy link
Copy Markdown
Member

lastsamurai26 commented Apr 10, 2026
edited
Loading

I went ahead and made the changes, but I'm getting a 500 error in the console. I'm not sure if that's supposed to happen. @JulianPrieber , could you take another look and test it yourself if possible?

So we should definitely implement this.

@JulianPrieber
Copy link
Copy Markdown
Member

JulianPrieber commented Apr 10, 2026

I'm most likely busy until somewhere next week.

This should be compatible with the beta build, we can try to merge it there to test.

This should have been addressed already in a release two years ago. We got this from upstream but we're the only maintainers of it now.

Maybe just try to reproduce it on the latest release build.

Or we just yolo it idk

@lastsamurai26
Copy link
Copy Markdown
Member

lastsamurai26 commented Apr 10, 2026

I'm now using the beta(4.9.0) version in a production environment as well.

I'd need to install a release version again and test it there, but it doesn't seem to work with the current beta—maybe that's why.

Perhaps the TS (@az10b ) should test this with the beta to see if it works there too?

image

But the fix works

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@az10b @JulianPrieber @lastsamurai26