Scope public API endpoints to caller visibility (GHSA-6ghm-wf22-pvx5)#367
Draft
jbrooksuk wants to merge 1 commit into
Draft
Scope public API endpoints to caller visibility (GHSA-6ghm-wf22-pvx5)#367jbrooksuk wants to merge 1 commit into
jbrooksuk wants to merge 1 commit into
Conversation
The public JSON API `index`/`show` endpoints never applied the `HasVisibility` scopes that the web UI and RSS feed use, so anonymous callers could read incidents, metrics and component groups marked `authenticated`-only or `hidden`. - Scope Incident, Metric and ComponentGroup index/show to the caller's visibility, returning 404 for out-of-scope records on show. - Scope Component index/show by the visibility of its group (components inherit visibility from their group; ungrouped stay public, matching the status page). Hide disabled components by default with an opt-in `enabled` filter; show 404s disabled components. - Gate the nested IncidentUpdate and MetricPoint controllers on their parent's visibility. - Fix ComponentGroupFactory using the wrong enum for `visible`, which defaulted groups to `authenticated` instead of `guest`. - Add API visibility regression tests across all affected endpoints. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The public JSON API
index/showendpoints never applied theHasVisibilityscopes that the web status page and RSS feed use. Any unauthenticated caller could list and read incidents, metrics and component groups markedauthenticated-only orhidden. Fixes GHSA-6ghm-wf22-pvx5 (CWE-862, CVSS 7.5).What changed
index+show: apply->visible(auth()->check());shownow returns 404 for out-of-scope records instead of leaking them.index+show: components have no visibility column — they inherit it from their group. Scoped by group visibility (whereNull('component_group_id')OR group is visible), so ungrouped components stay public, matching the status page. Also hidesdisabledcomponents by default with an opt-infilter[enabled]=false;show404s disabled components.IncidentUpdate,MetricPoint): gated on the parent's visibility so children of hidden/auth-only parents 404.ComponentGroupFactory: fixed a latent bug wherevisiblewas set fromComponentGroupVisibilityEnum::expanded(value0), which under theResourceVisibilityEnumcast meansauthenticated. Default is nowguest.guest; authenticated seesauthenticated+guest;hiddennever; ungrouped components stay public; disabled hidden-by-default but reachable via filter; nested children respect parent visibility.Not affected
Schedule/ScheduleUpdateControllerhave no visibility concept and are unchanged. The advisory's inclusion ofcomponents/schedulesin the "identical pattern" list is partially inaccurate: Schedule has novisiblecolumn, and Component's leak is via its group rather than a column of its own.Verification
Warning
Draft: this is a public PR for an unpatched advisory, so the diff discloses the vulnerability. Coordinate with the release/advisory before marking ready.