Understanding Insecure Direct Object Reference (IDOR) Vulnerability in praisonai-platform

What is Insecure Direct Object Reference (IDOR)?

Insecure Direct Object Reference (IDOR) is a type of vulnerability that occurs when an application exposes internal implementation objects, such as database records or file names, to users. This can allow attackers to access or manipulate sensitive data by directly referencing these objects.

The Vulnerability in praisonai-platform

In the praisonai-platform, five label endpoints are vulnerable to IDOR: `PATCH /workspaces/{workspace_id}/labels/{label_id}`, `DELETE .../labels/{label_id}`, `POST .../issues/{issue_id}/labels/{label_id}`, `DELETE .../issues/{issue_id}/labels/{label_id}`, and `GET .../issues/{issue_id}/labels`. These endpoints only gate access based on `require_workspace_member(workspace_id)` and pass the URL-supplied `label_id` and `issue_id` directly to `LabelService` without verifying if they belong to the workspace.

How the Vulnerability is Exploited

An attacker can exploit this vulnerability by registering a workspace, harvesting a foreign-workspace `label_id` and `issue_id`, and then using these IDs to edit, delete, or link labels across workspaces. This can lead to permanent and silent integrity damage, confidentiality leaks, and availability issues.

Security Impact and CVSS Score

The security impact of this vulnerability is moderate, with a CVSS score of 6.3. The attacker can rename and delete any label in the multi-tenant deployment, attach any label to any issue, detach any label from any issue, and list label assignments for any issue.

Suggested Fix

To fix this vulnerability, the `LabelService` should be updated to take the workspace predicate for every single-row label lookup and verify that both `issue_id` and `label_id` belong to `workspace_id` for association routes.