Skip to content

fix(auth): scope getPrCiStatus access to maintainer installation#404

Merged
Ayush-Patel-56 merged 2 commits into
Coder-s-OG-s:mainfrom
pavsoss:fix/auth-getPrCiStatus-scope-v2
Jun 23, 2026
Merged

fix(auth): scope getPrCiStatus access to maintainer installation#404
Ayush-Patel-56 merged 2 commits into
Coder-s-OG-s:mainfrom
pavsoss:fix/auth-getPrCiStatus-scope-v2

Conversation

@pavsoss

@pavsoss pavsoss commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Fix authorization gap in getPrCiStatus where maintainers could query CI status for installations they did not manage.

Root Cause

The endpoint verified only maintainer role (isUserMaintainer) but did not validate ownership of the provided installationId.

Changes

  • Added service-role client retrieval via getServiceSupabase()
  • Added assertMaintainerInstall(service, user.id, installationId)
  • Return not_authorised for unauthorized installation access
  • Added behavioral tests for authorized and unauthorized installation access

Security Impact

Prevents cross-installation CI status access (IDOR / tenant isolation issue).

Validation

  • typecheck ✅
  • lint ✅
  • tests: 530 passing ✅

Related issue

Closes #384

@vercel

vercel Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

@pavsoss is attempting to deploy a commit to the codersogs-3057's projects Team on Vercel.

A member of the Team first needs to authorize it.

@Ayush-Patel-56
Merge remote-tracking branch 'origin/main' into pr-404-fix
111c796 
# Conflicts:
#	src/app/actions/maintainer.ts
Ayush-Patel-56
Ayush-Patel-56 approved these changes Jun 23, 2026
View reviewed changes

@Ayush-Patel-56 Ayush-Patel-56 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved the conflict (combined the new requireMaintainer() pattern with requireService: true for the new assertMaintainerInstall check) and pushed. Real IDOR fix - confirmed the auth check runs before the cache lookup, tests cover both authorized/unauthorized paths, 46/46 passing.
Approving.

@Ayush-Patel-56 Ayush-Patel-56 added level:intermediate Intermediate level difficulty quality:clean Clean, well-structured contribution type:bug Bug fix gssoc:approved Approved by GSSOC admin mentor:Ayush-Patel-56 Replace Ayush-Patel-56 with mentor's GitHub handle to credit them nsoc26 level2 SSoC26 Medium labels Jun 23, 2026
@Ayush-Patel-56 Ayush-Patel-56 merged commit a850dec into Coder-s-OG-s:main Jun 23, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ayush-Patel-56 Ayush-Patel-56 Ayush-Patel-56 approved these changes

Assignees

No one assigned

Labels

gssoc:approved Approved by GSSOC admin level:intermediate Intermediate level difficulty level2 Medium mentor:Ayush-Patel-56 Replace Ayush-Patel-56 with mentor's GitHub handle to credit them nsoc26 quality:clean Clean, well-structured contribution SSoC26 type:bug Bug fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

getPrCiStatus doesn't verify the installationId belongs to the caller

2 participants

@pavsoss @Ayush-Patel-56