"Fix authorization bypass in GetTicket to ensure users can only access their own tickets."#3
Open
zeropath-ai[bot] wants to merge 2 commits intomasterfrom
Conversation
Member
|
@zeropath-ai Please create a reusable authentication helper function in auth.go that validates the calling user's auth. Then import and use this authentication function at the start of the current function to verify the user has proper authorization before proceeding with the rest of the logic. |
Author
|
As per your comment, the following code change has been committed: diff --git a/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/auth.go b/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/auth.go
new file mode 100644
index 00000000..6a4ffef1
--- /dev/null
+++ b/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/auth.go
@@ -0,0 +1,26 @@
+package handlers
+
+import (
+ "github.com/labstack/echo"
+ "net/http"
+)
+
+// ValidateUserAccess checks if the authenticated user has access to the requested resource
+func ValidateUserAccess(c echo.Context, requestedID string) error {
+ authenticatedUserID := c.Get("user")
+ if authenticatedUserID == nil {
+ return echo.NewHTTPError(http.StatusUnauthorized, map[string]string{
+ "result": "error",
+ "details": "Authentication required",
+ })
+ }
+
+ if authenticatedUserID.(string) != requestedID {
+ return echo.NewHTTPError(http.StatusForbidden, map[string]string{
+ "result": "error",
+ "details": "Access denied",
+ })
+ }
+
+ return nil
+}
diff --git a/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/handlers.go b/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/handlers.go
index b648b1fa..ead3a8bd 100644
--- a/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/handlers.go
+++ b/owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/handlers.go
@@ -15,18 +15,10 @@ func HealthCheck(c echo.Context) error {
// GetTicket returns the authenticated user's ticket.
func GetTicket(c echo.Context) error {
- // Get authenticated user's ID from the session/token
- authenticatedUserID := c.Get("user")
- if authenticatedUserID == nil {
- return c.JSON(http.StatusUnauthorized, map[string]string{"result": "error", "details": "Authentication required"})
- }
-
- // Get requested user ID from path parameter
requestedID := c.Param("id")
- // Verify user is accessing their own ticket
- if authenticatedUserID.(string) != requestedID {
- return c.JSON(http.StatusForbidden, map[string]string{"result": "error", "details": "Access denied"})
+ if err := ValidateUserAccess(c, requestedID); err != nil {
+ return err
}
userDataQuery := map[string]interface{}{"userID": requestedID}
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Vulnerability Description: The
GetTicketfunction failed to validate whether the requester was authorized to access the ticket data. By manipulating theidparameter in the request, an attacker could retrieve tickets belonging to other users, resulting in an insecure direct object reference (IDOR) vulnerability.This Fix: The patch ensures that the
GetTicketfunction now validates the identity of the requester by comparing the authenticated user’s ID (retrieved from the session or token) with theidparameter in the request. Unauthorized requests are denied with appropriate HTTP status codes (401 Unauthorizedor403 Forbidden).The Cause of the Issue: The original implementation retrieved and processed the
idparameter directly from the request without verifying that the authenticated user was authorized to access the data associated with it. This lack of access control checks allowed unauthorized users to retrieve other users' tickets.The Patch Implementation: The function now retrieves the authenticated user ID from the context (e.g., session or token) and validates it against the request’s
idparameter. If the IDs do not match, the function returns a403 Forbiddenresponse, preventing unauthorized access. Additionally, a401 Unauthorizedresponse is returned if no authenticated user ID is found.Vulnerability Details
Code Snippets
How to Modify the Patch
You can modify this patch by using one of the two methods outlined below. We recommend using the
@zeropath-aibot for updating the code. If you encounter any bugs or issues with the patch, please report them here.Ask
@zeropath-ai!To request modifications, please post a comment beginning with
@zeropath-aiand specify the changes required.@zeropath-aiwill then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.Manually Modify the Files