fix(security): scope berth-pdf service entrypoints by portId
Post-merge security review caught a cross-tenant authorization bypass
in the per-berth PDF endpoints (HIGH severity, confidence 10):
GET /api/v1/berths/[id]/pdf-versions
POST /api/v1/berths/[id]/pdf-versions
POST /api/v1/berths/[id]/pdf-upload-url
POST /api/v1/berths/[id]/pdf-versions/[versionId]/rollback
POST /api/v1/berths/[id]/pdf-versions/parse-results/apply
Each handler looked up the target berth by id only — `eq(berths.id, ...)`.
withAuth resolves ctx.portId from the user-controlled X-Port-Id header
(only verifying the user has SOME role on that port), and
withPermission('berths', 'view'|'edit', ...) is a coarse capability
check, not a row-level grant. A rep with berths:edit on Port A could
supply a Port B berth UUID and:
- list + receive 15-min presigned download URLs to every PDF version
- mint an upload URL targeting `berths/<port-B-id>/uploads/...`
- POST a new version (overwriting current_pdf_version_id on foreign berth)
- rollback to any prior version on a foreign berth
- apply rep-confirmed parse-result fields onto a foreign berth's columns
Sibling routes (waiting-list etc.) already pair the id filter with
`eq(berths.portId, ctx.portId)`, so this was an omission, not design.
Fix:
- Push `portId: string` into uploadBerthPdf, listBerthPdfVersions,
rollbackToVersion, applyParseResults, reconcilePdfWithBerth.
- Each function now filters the berth lookup with
`and(eq(berths.id, ...), eq(berths.portId, portId))` and throws
NotFoundError on mismatch (no foreign-port disclosure).
- Inline the same `and(...)` filter in the pdf-upload-url handler.
- Every handler passes ctx.portId through.
Coverage:
- New `cross-port tenant guard` test exercises every entrypoint with a
foreign-port id and asserts NotFoundError.
- 1164/1164 vitest passing. Typecheck clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
@@ -12,7 +12,7 @@ import { NextResponse } from 'next/server';
|
||||
import { type RouteHandler } from '@/lib/api/helpers';
|
||||
import { db } from '@/lib/db';
|
||||
import { berths } from '@/lib/db/schema/berths';
|
||||
import { eq } from 'drizzle-orm';
|
||||
import { and, eq } from 'drizzle-orm';
|
||||
import { errorResponse, NotFoundError, ValidationError } from '@/lib/errors';
|
||||
import { getMaxUploadMb } from '@/lib/services/berth-pdf.service';
|
||||
import { getStorageBackend } from '@/lib/storage';
|
||||
@@ -24,13 +24,19 @@ interface PostBody {
|
||||
sizeBytes?: number;
|
||||
}
|
||||
|
||||
export const postHandler: RouteHandler = async (req, _ctx, params) => {
|
||||
export const postHandler: RouteHandler = async (req, ctx, params) => {
|
||||
try {
|
||||
const body = (await req.json()) as Partial<PostBody>;
|
||||
const fileName = (body.fileName ?? '').trim();
|
||||
if (!fileName) throw new ValidationError('fileName is required');
|
||||
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, params.id!) });
|
||||
// Tenant-scoped berth lookup. Without `eq(berths.portId, ctx.portId)` a
|
||||
// rep with berths:edit on port A could mint an upload URL targeting a
|
||||
// port-B berth (the storage key namespace would land under that berth's
|
||||
// id, leaking access).
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, params.id!), eq(berths.portId, ctx.portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
|
||||
const maxMb = await getMaxUploadMb(berthRow.portId);
|
||||
|
||||
Reference in New Issue
Block a user