🛡️ Sentinel: [CRITICAL] Fix authorization bypass in file deletion endpoint#156
🛡️ Sentinel: [CRITICAL] Fix authorization bypass in file deletion endpoint#156xb1g wants to merge 1 commit into
Conversation
…point Co-authored-by: xb1g <70068561+xb1g@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
xb1g
force-pushed
the
sentinel-fix-file-deletion-bypass-3678801344530333967
branch
from
9e1d8e6 to
377ddd1
Compare
|
Unable to deploy a commit from a private repository on your GitHub organization to the wachaa1319's projects team on Vercel, which is currently on the Hobby plan. In order to deploy, you can:
To read more about collaboration on Vercel, click here. |
There was a problem hiding this comment.
Pull request overview
This PR fixes an authorization bypass (IDOR via path manipulation) in the DELETE /api/upload endpoint by tightening the ownership check from a substring match to a strict prefix match, ensuring a user can only delete objects stored under their own submissions/<userId>/... keyspace.
Changes:
- Replaced
fileName.includes(...)withfileName.startsWith(...)for strict ownership validation on delete. - Prevents crafted keys that merely contain
submissions/<userId>/from passing authorization.
xb1g
force-pushed
the
sentinel-fix-file-deletion-bypass-3678801344530333967
branch
2 times, most recently
from
2391f03 to
bb14073
Compare
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
web | bb14073 | May 11 2026, 06:27 PM |
🚨 Severity: CRITICAL
💡 Vulnerability: Insecure Direct Object Reference (IDOR) via path manipulation in the
DELETE /api/uploadendpoint. The code usedfileName.includes(\submissions/${user.id}/`)to verify ownership, allowing an attacker to bypass authorization if their user ID appeared anywhere within a maliciously crafted file path. 🎯 Impact: Attackers could delete files belonging to other users if they correctly constructed a payload to bypass the.includescheck. 🔧 Fix: Changed.includesto.startsWithto strictly verify that the path begins with the authorized user's directory. ✅ Verification:pnpm testandpnpm lint` passed cleanly. Verified the logic mathematically guarantees strict prefix matching.PR created automatically by Jules for task 3678801344530333967 started by @xb1g