oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-09-15 18:57:05 +00:00
Code Wiki Activity

AnnotationController: fix improper authorization vulnerability

Browse source 
This PR is based on 2.5.x branch.

We fix the improper authorization by retrieving the annotation using id
and user id.

We also replace the ParamConverter used to get the requested Annotation
on put and delete actions with an explicit call to AnnotationRepository
in order to prevent a resource enumeration through response discrepancy.

Fixes GHSA-mrqx-mjc4-vfh3

Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com>
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
This commit is contained in:
Kevin Decherf 2023-01-23 12:16:09 +01:00
parent 9e9aedee94
commit 3ed7f2b751
6 changed files with 173 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

22
src/Wallabag/AnnotationBundle/Repository/AnnotationRepository.php
View file

@ -41,6 +41,24 @@ class AnnotationRepository extends EntityRepository
;
}
/**
* Find annotation by id and user.
*
* @param int $annotationId
* @param int $userId
*
* @return Annotation
*/
public function findOneByIdAndUserId($annotationId, $userId)
{
return $this->createQueryBuilder('a')
->where('a.id = :annotationId')->setParameter('annotationId', $annotationId)
->andWhere('a.user = :userId')->setParameter('userId', $userId)
->setMaxResults(1)
->getQuery()
->getOneOrNullResult();
}
/**
* Find annotations for entry id.
*
@ -49,7 +67,7 @@ class AnnotationRepository extends EntityRepository
*
* @return array
*/
public function findAnnotationsByPageId($entryId, $userId)
public function findByEntryIdAndUserId($entryId, $userId)
{
return $this->createQueryBuilder('a')
->where('a.entry = :entryId')->setParameter('entryId', $entryId)
@ -66,7 +84,7 @@ class AnnotationRepository extends EntityRepository
*
* @return array
*/
public function findLastAnnotationByPageId($entryId, $userId)
public function findLastAnnotationByUserId($entryId, $userId)
{
return $this->createQueryBuilder('a')
->where('a.entry = :entryId')->setParameter('entryId', $entryId)