fix(security): scope berth-pdf service entrypoints by portId
Post-merge security review caught a cross-tenant authorization bypass
in the per-berth PDF endpoints (HIGH severity, confidence 10):
GET /api/v1/berths/[id]/pdf-versions
POST /api/v1/berths/[id]/pdf-versions
POST /api/v1/berths/[id]/pdf-upload-url
POST /api/v1/berths/[id]/pdf-versions/[versionId]/rollback
POST /api/v1/berths/[id]/pdf-versions/parse-results/apply
Each handler looked up the target berth by id only — `eq(berths.id, ...)`.
withAuth resolves ctx.portId from the user-controlled X-Port-Id header
(only verifying the user has SOME role on that port), and
withPermission('berths', 'view'|'edit', ...) is a coarse capability
check, not a row-level grant. A rep with berths:edit on Port A could
supply a Port B berth UUID and:
- list + receive 15-min presigned download URLs to every PDF version
- mint an upload URL targeting `berths/<port-B-id>/uploads/...`
- POST a new version (overwriting current_pdf_version_id on foreign berth)
- rollback to any prior version on a foreign berth
- apply rep-confirmed parse-result fields onto a foreign berth's columns
Sibling routes (waiting-list etc.) already pair the id filter with
`eq(berths.portId, ctx.portId)`, so this was an omission, not design.
Fix:
- Push `portId: string` into uploadBerthPdf, listBerthPdfVersions,
rollbackToVersion, applyParseResults, reconcilePdfWithBerth.
- Each function now filters the berth lookup with
`and(eq(berths.id, ...), eq(berths.portId, portId))` and throws
NotFoundError on mismatch (no foreign-port disclosure).
- Inline the same `and(...)` filter in the pdf-upload-url handler.
- Every handler passes ctx.portId through.
Coverage:
- New `cross-port tenant guard` test exercises every entrypoint with a
foreign-port id and asserts NotFoundError.
- 1164/1164 vitest passing. Typecheck clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
@@ -12,7 +12,7 @@ import { NextResponse } from 'next/server';
|
||||
import { type RouteHandler } from '@/lib/api/helpers';
|
||||
import { db } from '@/lib/db';
|
||||
import { berths } from '@/lib/db/schema/berths';
|
||||
import { eq } from 'drizzle-orm';
|
||||
import { and, eq } from 'drizzle-orm';
|
||||
import { errorResponse, NotFoundError, ValidationError } from '@/lib/errors';
|
||||
import { getMaxUploadMb } from '@/lib/services/berth-pdf.service';
|
||||
import { getStorageBackend } from '@/lib/storage';
|
||||
@@ -24,13 +24,19 @@ interface PostBody {
|
||||
sizeBytes?: number;
|
||||
}
|
||||
|
||||
export const postHandler: RouteHandler = async (req, _ctx, params) => {
|
||||
export const postHandler: RouteHandler = async (req, ctx, params) => {
|
||||
try {
|
||||
const body = (await req.json()) as Partial<PostBody>;
|
||||
const fileName = (body.fileName ?? '').trim();
|
||||
if (!fileName) throw new ValidationError('fileName is required');
|
||||
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, params.id!) });
|
||||
// Tenant-scoped berth lookup. Without `eq(berths.portId, ctx.portId)` a
|
||||
// rep with berths:edit on port A could mint an upload URL targeting a
|
||||
// port-B berth (the storage key namespace would land under that berth's
|
||||
// id, leaking access).
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, params.id!), eq(berths.portId, ctx.portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
|
||||
const maxMb = await getMaxUploadMb(berthRow.portId);
|
||||
|
||||
@@ -4,9 +4,9 @@ import { type RouteHandler } from '@/lib/api/helpers';
|
||||
import { errorResponse } from '@/lib/errors';
|
||||
import { rollbackToVersion } from '@/lib/services/berth-pdf.service';
|
||||
|
||||
export const postHandler: RouteHandler = async (_req, _ctx, params) => {
|
||||
export const postHandler: RouteHandler = async (_req, ctx, params) => {
|
||||
try {
|
||||
const result = await rollbackToVersion(params.id!, params.versionId!);
|
||||
const result = await rollbackToVersion(params.id!, params.versionId!, ctx.portId);
|
||||
return NextResponse.json({ data: result });
|
||||
} catch (error) {
|
||||
return errorResponse(error);
|
||||
|
||||
@@ -25,9 +25,9 @@ interface PostBody {
|
||||
};
|
||||
}
|
||||
|
||||
export const getHandler: RouteHandler = async (_req, _ctx, params) => {
|
||||
export const getHandler: RouteHandler = async (_req, ctx, params) => {
|
||||
try {
|
||||
const versions = await listBerthPdfVersions(params.id!);
|
||||
const versions = await listBerthPdfVersions(params.id!, ctx.portId);
|
||||
return NextResponse.json({ data: versions });
|
||||
} catch (error) {
|
||||
return errorResponse(error);
|
||||
@@ -48,6 +48,7 @@ export const postHandler: RouteHandler = async (req, ctx, params) => {
|
||||
}
|
||||
const result = await uploadBerthPdf({
|
||||
berthId: params.id!,
|
||||
portId: ctx.portId,
|
||||
storageKey: body.storageKey,
|
||||
fileName: body.fileName,
|
||||
fileSizeBytes: body.fileSizeBytes,
|
||||
|
||||
@@ -9,14 +9,19 @@ interface PostBody {
|
||||
fieldsToApply: Partial<ExtractedBerthFields>;
|
||||
}
|
||||
|
||||
export const postHandler: RouteHandler = async (req, _ctx, params) => {
|
||||
export const postHandler: RouteHandler = async (req, ctx, params) => {
|
||||
try {
|
||||
const body = (await req.json()) as Partial<PostBody>;
|
||||
if (!body.versionId) throw new ValidationError('versionId is required');
|
||||
if (!body.fieldsToApply || typeof body.fieldsToApply !== 'object') {
|
||||
throw new ValidationError('fieldsToApply must be an object');
|
||||
}
|
||||
const result = await applyParseResults(params.id!, body.versionId, body.fieldsToApply);
|
||||
const result = await applyParseResults(
|
||||
params.id!,
|
||||
body.versionId,
|
||||
body.fieldsToApply,
|
||||
ctx.portId,
|
||||
);
|
||||
return NextResponse.json({ data: result });
|
||||
} catch (error) {
|
||||
return errorResponse(error);
|
||||
|
||||
@@ -137,6 +137,13 @@ export async function getMaxUploadMb(portId: string): Promise<number> {
|
||||
|
||||
export interface UploadBerthPdfArgs {
|
||||
berthId: string;
|
||||
/**
|
||||
* Acting tenant. Every public service entrypoint requires this so the berth
|
||||
* lookup can be scoped to `(berth.id, port_id)` — without it a rep with
|
||||
* berths:edit on port A could supply a port B berth UUID and write/read
|
||||
* cross-tenant data. NotFoundError on mismatch.
|
||||
*/
|
||||
portId: string;
|
||||
/** Already-uploaded storage key (the upload-url endpoint generated it) OR
|
||||
* undefined to make this service compute one. */
|
||||
storageKey?: string;
|
||||
@@ -175,7 +182,11 @@ export interface UploadBerthPdfResult {
|
||||
*/
|
||||
export async function uploadBerthPdf(args: UploadBerthPdfArgs): Promise<UploadBerthPdfResult> {
|
||||
// 1. Resolve the berth + port for size-cap lookup.
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, args.berthId) });
|
||||
// Tenant-scoped lookup — NotFoundError when the berth lives in a different
|
||||
// port so a rep on port A cannot upload PDFs against port B's berths.
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, args.berthId), eq(berths.portId, args.portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
const maxMb = await getMaxUploadMb(berthRow.portId);
|
||||
const maxBytes = maxMb * 1024 * 1024;
|
||||
@@ -378,8 +389,12 @@ function serializeParseResult(parse: ParseResult): Record<string, unknown> {
|
||||
export async function reconcilePdfWithBerth(
|
||||
berthId: string,
|
||||
parsed: ParseResult,
|
||||
/** Tenant scope. NotFoundError on cross-port lookups. */
|
||||
portId: string,
|
||||
): Promise<ReconcileResult> {
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, berthId) });
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, berthId), eq(berths.portId, portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
const fields = parsed.fields;
|
||||
|
||||
@@ -440,9 +455,13 @@ export async function applyParseResults(
|
||||
berthId: string,
|
||||
versionId: string,
|
||||
fieldsToApply: Partial<ExtractedBerthFields>,
|
||||
/** Tenant scope. NotFoundError when berth lives in a different port. */
|
||||
portId: string,
|
||||
opts: { confirmMooringMismatch?: boolean } = {},
|
||||
): Promise<{ updatedFields: Array<keyof ExtractedBerthFields> }> {
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, berthId) });
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, berthId), eq(berths.portId, portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
const versionRow = await db.query.berthPdfVersions.findFirst({
|
||||
where: and(eq(berthPdfVersions.id, versionId), eq(berthPdfVersions.berthId, berthId)),
|
||||
@@ -520,8 +539,14 @@ export interface BerthPdfVersionListItem {
|
||||
parseEngine: ParserEngine | null;
|
||||
}
|
||||
|
||||
export async function listBerthPdfVersions(berthId: string): Promise<BerthPdfVersionListItem[]> {
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, berthId) });
|
||||
export async function listBerthPdfVersions(
|
||||
berthId: string,
|
||||
/** Tenant scope. NotFoundError when berth lives in a different port. */
|
||||
portId: string,
|
||||
): Promise<BerthPdfVersionListItem[]> {
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, berthId), eq(berths.portId, portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
|
||||
const rows = await db
|
||||
@@ -569,12 +594,16 @@ export async function listBerthPdfVersions(berthId: string): Promise<BerthPdfVer
|
||||
export async function rollbackToVersion(
|
||||
berthId: string,
|
||||
versionId: string,
|
||||
/** Tenant scope. NotFoundError when berth lives in a different port. */
|
||||
portId: string,
|
||||
): Promise<{ versionId: string; versionNumber: number }> {
|
||||
const versionRow = await db.query.berthPdfVersions.findFirst({
|
||||
where: and(eq(berthPdfVersions.id, versionId), eq(berthPdfVersions.berthId, berthId)),
|
||||
});
|
||||
if (!versionRow) throw new NotFoundError('Berth PDF version');
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, berthId) });
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, berthId), eq(berths.portId, portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
|
||||
if (berthRow.currentPdfVersionId === versionId) {
|
||||
|
||||
Reference in New Issue
Block a user