Skip to content

[WEB-7776] fix(security): scope FileAsset queries to prevent cross-project IDOR (Cluster F)#9288

Open
mguptahub wants to merge 1 commit into
previewfrom
web-7776/fix-asset-idor
Open

[WEB-7776] fix(security): scope FileAsset queries to prevent cross-project IDOR (Cluster F)#9288
mguptahub wants to merge 1 commit into
previewfrom
web-7776/fix-asset-idor

Conversation

@mguptahub

@mguptahub mguptahub commented Jun 22, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Collaborator

Summary

Multiple asset endpoints were missing project-level scoping on FileAsset queryset filters, allowing authenticated users to access, mark-uploaded, or restore assets belonging to other projects or workspaces they are not members of.

Fixes applied

Priority Endpoint File Fix
P0 ProjectBulkAssetEndpoint.post app/views/asset/v2.py Add project_id=project_id to asset filter
P0 EntityAssetEndpoint.get space/views/asset.py Add project_id=deploy_board.project_id
P0 EntityAssetEndpoint.patch space/views/asset.py Add project_id=deploy_board.project_id
P1 AssetRestoreEndpoint.post space/views/asset.py Add project_id=deploy_board.project_id
P1 FileAssetEndpoint V1 (get/post/delete) app/views/asset/base.py Add WorkspaceMember membership check
P1 FileAssetViewSet.restore V1 app/views/asset/base.py Add WorkspaceMember membership check
P2 WorkspaceFileAssetEndpoint.post app/views/asset/v2.py Gate WORKSPACE_LOGO upload on ROLE.ADMIN
P2 DuplicateAssetEndpoint.post app/views/asset/v2.py Restrict source asset lookup to same workspace

Advisories addressed

GHSA-r2hw (critical), GHSA-jh4v (high), GHSA-8688 (high), GHSA-3hrj, GHSA-3892, GHSA-3ggg, GHSA-gcpp, GHSA-p57q, GHSA-c68q, GHSA-8chr, GHSA-58qm, GHSA-wrrw, GHSA-j4mj, GHSA-85h2, GHSA-29q3, GHSA-mwh2, GHSA-xrpv and related duplicates.

Test plan

  • Upload an asset to Project A, then attempt POST /api/v1/workspaces/{slug}/projects/{projectB_id}/bulk-asset-save/ with the asset ID — should return 404
  • On a public board, attempt PATCH /spaces/{anchor}/assets/{asset_from_other_project}/ — should return 404
  • On a public board, attempt POST /spaces/{anchor}/assets/{id}/restore/ with asset from a different project — should return 404
  • Attempt GET /api/workspaces/{ws_id}/{asset_key} from a user not in the workspace — should return 404
  • As MEMBER, attempt POST /api/v1/workspaces/{slug}/file-assets/ with entity_type=WORKSPACE_LOGO — should return 403
  • As ADMIN, attempt same call — should succeed
  • DuplicateAssetEndpoint: attempt to duplicate an asset from workspace B while calling endpoint in workspace A — should return 404

Co-authored-by: Plane AI noreply@plane.so

Summary by CodeRabbit

Release Notes

  • Bug Fixes
    • Added workspace membership verification for asset access, uploads, and deletions
    • Restricted workspace logo uploads to administrators only
    • Prevented unauthorized cross-project asset access
    • Enhanced authorization checks for asset restoration operations

@mguptahub
[WEB-7776] fix(security): scope FileAsset queries to prevent cross-pr…
e063c2c 
…oject IDOR (Cluster F)

Multiple asset endpoints were missing project-level scoping on FileAsset
queryset filters, allowing authenticated users to access, mark-uploaded,
or restore assets belonging to other projects/workspaces.

- ProjectBulkAssetEndpoint.post: add project_id= scope to asset filter
- EntityAssetEndpoint.get/patch: add project_id=deploy_board.project_id
- AssetRestoreEndpoint.post: add project_id=deploy_board.project_id
- FileAssetEndpoint (V1): add workspace membership check on get/post/delete
- FileAssetViewSet.restore (V1): add workspace membership check
- WorkspaceFileAssetEndpoint.post: gate WORKSPACE_LOGO on ADMIN role
- DuplicateAssetEndpoint.post: restrict source asset to same workspace

Fixes GHSA-r2hw, GHSA-jh4v, GHSA-8688, GHSA-3hrj and related advisories.

Co-authored-by: Plane AI <noreply@plane.so>
Copilot AI review requested due to automatic review settings June 22, 2026 10:39
Copilot AI reviewed Jun 22, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a791cd50-31ff-4044-bc40-3a41be4f9446

📥 Commits

Reviewing files that changed from the base of the PR and between 4a0746b and e063c2c.

📒 Files selected for processing (3)
  • apps/api/plane/app/views/asset/base.py
  • apps/api/plane/app/views/asset/v2.py
  • apps/api/plane/space/views/asset.py
📝 Walkthrough

Walkthrough

Three asset-related view files receive authorization hardening: FileAssetEndpoint in base.py gains active workspace-membership checks on all four HTTP methods; v2.py adds an admin role gate for workspace-logo uploads, adds project_id scoping to the bulk asset query, and tightens the duplicate-asset source lookup to the destination workspace; space/views/asset.py adds project_id to asset queries in get, patch, and restore to prevent cross-project IDOR.

Changes

Asset Endpoint Authorization Hardening

Layer / File(s) Summary
Workspace membership guards on FileAssetEndpoint
apps/api/plane/app/views/asset/base.py		 Imports WorkspaceMember and inserts active-membership checks at the top of get, post, delete, and restore; post additionally resolves the workspace by slug with a 404 guard before saving the serializer with the resolved workspace_id.
Admin gate for logo upload and scoping fixes in v2 endpoints
apps/api/plane/app/views/asset/v2.py		 WorkspaceFileAssetEndpoint.post returns 403 when the caller is not an admin for WORKSPACE_LOGO uploads; ProjectBulkAssetEndpoint.post adds project_id to the FileAsset filter; DuplicateAssetEndpoint.post scopes the source asset lookup to the destination workspace instead of the caller's memberships.
Cross-project IDOR fix in space-app asset endpoints
apps/api/plane/space/views/asset.py		 Adds project_id to the FileAsset filter in EntityAssetEndpoint.get, EntityAssetEndpoint.patch, and AssetRestoreEndpoint.post, preventing assets from being accessed or restored across project boundaries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • makeplane/plane#9212: Implements the same cross-workspace asset authorization pattern at the endpoint level via workspace membership checks on asset operations, directly overlapping with the FileAssetEndpoint membership guards added in this PR.

Suggested reviewers

  • dheeru0198
  • pablohashescobar
  • sangeethailango

Poem

🐰 A bunny guards the warren door,
No stranger slips through any more.
Each slug is checked, each project scoped,
Cross-project sneaks? Their access roped.
The logo vault needs admin keys,
Our assets rest in safety's ease! 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and specifically describes the main security fix: scoping FileAsset queries to prevent cross-project IDOR vulnerabilities across multiple endpoints.
Description check ✅ Passed The description is comprehensive, detailing fixes across 8 endpoints with priority levels, affected files, and a detailed test plan, though it uses a table format rather than strictly following the template sections.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch web-7776/fix-asset-idor

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@makeplane

makeplane Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Linked to Plane Work Item(s)

This comment was auto-generated by Plane

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dheeru0198 dheeru0198 Awaiting requested review from dheeru0198 dheeru0198 is a code owner

@pablohashescobar pablohashescobar Awaiting requested review from pablohashescobar pablohashescobar is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mguptahub