fix(security): object-level ownership on the compliance surfaces (1a.1)#263
Open
MoltyCel wants to merge 1 commit into
Open
fix(security): object-level ownership on the compliance surfaces (1a.1)#263MoltyCel wants to merge 1 commit into
MoltyCel wants to merge 1 commit into
Conversation
The four /compliance/* endpoints authenticated the caller (verify_api_key)
but never checked object-level ownership, so any valid API-key holder could:
* POST /compliance/declaration — mint a MolTrust-signed conformity VC for
ANY subject_did (impersonation of the signed attestation),
* POST /compliance/assess — write an assessment into ANY DID's history,
* POST /compliance/incident — file an Art 73 incident against ANY DID,
* GET /compliance/report/{did}— read ANY DID's compliance record (IDOR).
Add a shared _require_did_owner_or_admin(request, api_key, subject_did): the
caller's API key must resolve to that exact DID, or they present the admin key.
The 403 is uniform whether the caller is the wrong owner or the DID does not
exist, so the endpoints are not a DID-enumeration oracle. assess with no `did`
stays open (stateless classification, nothing persisted). /compliance/report
is now owner-or-admin, not a public trust surface.
Tests: tests/test_compliance_ownership.py (own->200, foreign->403,
no-oracle, admin bypass); existing report-not-found retargeted to the admin
404 path. Mirrors the owner-or-admin idiom already used at agents/revoke and
delegation/create.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
1a.1 — Compliance IDOR / ownership (Welle 1a)
The four endpoints authenticated the caller () but performed no object-level ownership check. Any valid API-key holder could act on any DID:
Fix
One shared guard :
Mirrors the owner-or-admin idiom already used at (main.py:6085) and (main.py:6572).
Design decisions (flagged for review)
Tests —
own→200 · foreign→403 (assess/declaration/incident/report) · no- assess open · report no-oracle (foreign == ghost, same status+body) · admin bypass→200. Existing retargeted to the admin 404 path.
**Verified on sandbox DB: ** (test_compliance + test_incidents_anchors + test_compliance_ownership).
🤖 Generated with Claude Code
Do not merge without review — Welle 1a security fix, build-to-PR only per mandate.