fix: add ownership enforcement on character and corporation API endpoints#90
Closed
cchopin wants to merge 1 commit into
Closed
fix: add ownership enforcement on character and corporation API endpoints#90cchopin wants to merge 1 commit into
cchopin wants to merge 1 commit into
Conversation
… endpoints to prevent IDOR Introduces CharacterOwnership and CorporationOwnership middleware that verify the API token owner has access to the requested character_id / corporation_id. Adds a nullable user_id column to api_tokens so tokens can be scoped to a specific SeAT user; tokens with no associated user retain unrestricted (superuser-scoped) access for backwards compatibility.
Contributor
|
Works as intended. Please don't open spam issues. @Crypta-Eve this should be closed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix: Insecure Direct Object Reference (IDOR) on Character/Corporation Endpoints
Vulnerability
The character and corporation API endpoints accepted any valid
character_idorcorporation_idas a route parameter without verifying that the authenticated API token's owner has access to that resource.Any holder of a valid API token — regardless of which characters they own — could access the data of any character or corporation registered on the SeAT instance by enumerating or guessing EVE character IDs (which are public and sequential).
Affected Endpoints
All routes under:
GET /api/v2/character/{character_id}/*— assets, wallet, mail, contracts, skills, market orders, notifications, industry jobs, jump clones, contacts, etc.GET /api/v2/corporation/{corporation_id}/*— assets, wallet, member tracking, contracts, etc.Impact
An attacker with any valid API token (even one generated for a non-privileged user) can:
In an alliance context where SeAT is used for auth and intel, this constitutes a full compromise of all member financial and operational data.
Fix
Added
CharacterOwnershipandCorporationOwnershipmiddleware classes that intercept requests to character/corporation-scoped endpoints and verify that the requesting token's owner has access to the requested resource.A nullable
user_idcolumn is added toapi_tokensvia a new migration, allowing tokens to be scoped to a specific SeAT user. Backwards compatibility is preserved: existing tokens with nouser_idare treated as superuser-scoped and retain unrestricted access. Users with the superuser role also retain unrestricted access to support administrative use cases.References