Skip to content

Security: Unauthenticated arbitrary resource file deletion via delete_variant#8726

Open
AngelFQC wants to merge 1 commit into
chamilo:masterfrom
AngelFQC:security/auto-fix-GHSA-4j89-qjx2-3wcr
Open

Security: Unauthenticated arbitrary resource file deletion via delete_variant#8726
AngelFQC wants to merge 1 commit into
chamilo:masterfrom
AngelFQC:security/auto-fix-GHSA-4j89-qjx2-3wcr

Conversation

@AngelFQC

Copy link
Copy Markdown
Member

Adds authorization to the DELETE /r/resource_files/{id}/delete_variant endpoint, which previously deleted any ResourceFile by numeric id with no authentication or authorization. The handler now requires EDIT permission on the owning ResourceNode (admins pass via ROLE_ADMIN) and only allows removal of genuine access-URL variants (accessUrl !== null), returning 404 otherwise.

Note: CSRF token validation was not added — the endpoint is consumed by the SPA over JWT bearer auth and adding a token would require a coordinated frontend change; the authorization check already eliminates the unauthenticated/cross-privilege vector. Flagging in case a CSRF layer is desired as defense-in-depth.

Refs GHSA-4j89-qjx2-3wcr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant