fix(security): scope berth-pdf service entrypoints by portId
Post-merge security review caught a cross-tenant authorization bypass
in the per-berth PDF endpoints (HIGH severity, confidence 10):
GET /api/v1/berths/[id]/pdf-versions
POST /api/v1/berths/[id]/pdf-versions
POST /api/v1/berths/[id]/pdf-upload-url
POST /api/v1/berths/[id]/pdf-versions/[versionId]/rollback
POST /api/v1/berths/[id]/pdf-versions/parse-results/apply
Each handler looked up the target berth by id only — `eq(berths.id, ...)`.
withAuth resolves ctx.portId from the user-controlled X-Port-Id header
(only verifying the user has SOME role on that port), and
withPermission('berths', 'view'|'edit', ...) is a coarse capability
check, not a row-level grant. A rep with berths:edit on Port A could
supply a Port B berth UUID and:
- list + receive 15-min presigned download URLs to every PDF version
- mint an upload URL targeting `berths/<port-B-id>/uploads/...`
- POST a new version (overwriting current_pdf_version_id on foreign berth)
- rollback to any prior version on a foreign berth
- apply rep-confirmed parse-result fields onto a foreign berth's columns
Sibling routes (waiting-list etc.) already pair the id filter with
`eq(berths.portId, ctx.portId)`, so this was an omission, not design.
Fix:
- Push `portId: string` into uploadBerthPdf, listBerthPdfVersions,
rollbackToVersion, applyParseResults, reconcilePdfWithBerth.
- Each function now filters the berth lookup with
`and(eq(berths.id, ...), eq(berths.portId, portId))` and throws
NotFoundError on mismatch (no foreign-port disclosure).
- Inline the same `and(...)` filter in the pdf-upload-url handler.
- Every handler passes ctx.portId through.
Coverage:
- New `cross-port tenant guard` test exercises every entrypoint with a
foreign-port id and asserts NotFoundError.
- 1164/1164 vitest passing. Typecheck clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
@@ -137,6 +137,13 @@ export async function getMaxUploadMb(portId: string): Promise<number> {
|
||||
|
||||
export interface UploadBerthPdfArgs {
|
||||
berthId: string;
|
||||
/**
|
||||
* Acting tenant. Every public service entrypoint requires this so the berth
|
||||
* lookup can be scoped to `(berth.id, port_id)` — without it a rep with
|
||||
* berths:edit on port A could supply a port B berth UUID and write/read
|
||||
* cross-tenant data. NotFoundError on mismatch.
|
||||
*/
|
||||
portId: string;
|
||||
/** Already-uploaded storage key (the upload-url endpoint generated it) OR
|
||||
* undefined to make this service compute one. */
|
||||
storageKey?: string;
|
||||
@@ -175,7 +182,11 @@ export interface UploadBerthPdfResult {
|
||||
*/
|
||||
export async function uploadBerthPdf(args: UploadBerthPdfArgs): Promise<UploadBerthPdfResult> {
|
||||
// 1. Resolve the berth + port for size-cap lookup.
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, args.berthId) });
|
||||
// Tenant-scoped lookup — NotFoundError when the berth lives in a different
|
||||
// port so a rep on port A cannot upload PDFs against port B's berths.
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, args.berthId), eq(berths.portId, args.portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
const maxMb = await getMaxUploadMb(berthRow.portId);
|
||||
const maxBytes = maxMb * 1024 * 1024;
|
||||
@@ -378,8 +389,12 @@ function serializeParseResult(parse: ParseResult): Record<string, unknown> {
|
||||
export async function reconcilePdfWithBerth(
|
||||
berthId: string,
|
||||
parsed: ParseResult,
|
||||
/** Tenant scope. NotFoundError on cross-port lookups. */
|
||||
portId: string,
|
||||
): Promise<ReconcileResult> {
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, berthId) });
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, berthId), eq(berths.portId, portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
const fields = parsed.fields;
|
||||
|
||||
@@ -440,9 +455,13 @@ export async function applyParseResults(
|
||||
berthId: string,
|
||||
versionId: string,
|
||||
fieldsToApply: Partial<ExtractedBerthFields>,
|
||||
/** Tenant scope. NotFoundError when berth lives in a different port. */
|
||||
portId: string,
|
||||
opts: { confirmMooringMismatch?: boolean } = {},
|
||||
): Promise<{ updatedFields: Array<keyof ExtractedBerthFields> }> {
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, berthId) });
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, berthId), eq(berths.portId, portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
const versionRow = await db.query.berthPdfVersions.findFirst({
|
||||
where: and(eq(berthPdfVersions.id, versionId), eq(berthPdfVersions.berthId, berthId)),
|
||||
@@ -520,8 +539,14 @@ export interface BerthPdfVersionListItem {
|
||||
parseEngine: ParserEngine | null;
|
||||
}
|
||||
|
||||
export async function listBerthPdfVersions(berthId: string): Promise<BerthPdfVersionListItem[]> {
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, berthId) });
|
||||
export async function listBerthPdfVersions(
|
||||
berthId: string,
|
||||
/** Tenant scope. NotFoundError when berth lives in a different port. */
|
||||
portId: string,
|
||||
): Promise<BerthPdfVersionListItem[]> {
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, berthId), eq(berths.portId, portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
|
||||
const rows = await db
|
||||
@@ -569,12 +594,16 @@ export async function listBerthPdfVersions(berthId: string): Promise<BerthPdfVer
|
||||
export async function rollbackToVersion(
|
||||
berthId: string,
|
||||
versionId: string,
|
||||
/** Tenant scope. NotFoundError when berth lives in a different port. */
|
||||
portId: string,
|
||||
): Promise<{ versionId: string; versionNumber: number }> {
|
||||
const versionRow = await db.query.berthPdfVersions.findFirst({
|
||||
where: and(eq(berthPdfVersions.id, versionId), eq(berthPdfVersions.berthId, berthId)),
|
||||
});
|
||||
if (!versionRow) throw new NotFoundError('Berth PDF version');
|
||||
const berthRow = await db.query.berths.findFirst({ where: eq(berths.id, berthId) });
|
||||
const berthRow = await db.query.berths.findFirst({
|
||||
where: and(eq(berths.id, berthId), eq(berths.portId, portId)),
|
||||
});
|
||||
if (!berthRow) throw new NotFoundError('Berth');
|
||||
|
||||
if (berthRow.currentPdfVersionId === versionId) {
|
||||
|
||||
Reference in New Issue
Block a user