Overview: An Insecure Direct Object Reference (IDOR) vulnerability exists in the GET /api/annotations endpoint. The API fails to verify whether the authenticated user has the appropriate authorization or ownership rights to view the requested repository's data. As a result, an attacker can enumerate or provide arbitrary repositoryId parameters to read annotations belonging to other users' private repositories.
Steps to Reproduce:
Authenticate to the application as User A.
Identify the repositoryId of a private repository that belongs strictly to User B (this can often be guessed or enumerated).
Send a GET request to /api/annotations?repositoryId=<USER_B_REPO_ID> using User A's session token.
Observe that the API returns a 200 OK response containing all the map annotations for User B's private repository.
Expected Behavior: The endpoint should verify that the authenticated user possesses read access (either via ownership or organizational membership) to the requested repositoryId before querying and returning the mapAnnotation records. If the user lacks access, the API should return a 403 Forbidden or 404 Not Found.
Actual Behavior: The API processes the request purely based on the presence of the repositoryId and returns the annotations, exposing sensitive and private data to unauthorized users.
Impact:
Confidentiality Loss: Private, repository-specific discussions, notes, and code annotations can be leaked to unauthorized third parties.
Data Exposure: Threat actors can scrape annotations across all repositories by systematically incrementing the repositoryId parameter.
Suggested Remediation: Update the GET method in app/api/annotations/route.ts to include an authorization check prior to executing the prisma.mapAnnotation.findMany query. You can achieve this by using the existing permission utility (e.g., enforceRepositoryPermission or verifying the repository's userId matches the authenticated session) to validate read access.
Overview: An Insecure Direct Object Reference (IDOR) vulnerability exists in the GET /api/annotations endpoint. The API fails to verify whether the authenticated user has the appropriate authorization or ownership rights to view the requested repository's data. As a result, an attacker can enumerate or provide arbitrary repositoryId parameters to read annotations belonging to other users' private repositories.
Steps to Reproduce:
Authenticate to the application as User A.
Identify the repositoryId of a private repository that belongs strictly to User B (this can often be guessed or enumerated).
Send a GET request to /api/annotations?repositoryId=<USER_B_REPO_ID> using User A's session token.
Observe that the API returns a 200 OK response containing all the map annotations for User B's private repository.
Expected Behavior: The endpoint should verify that the authenticated user possesses read access (either via ownership or organizational membership) to the requested repositoryId before querying and returning the mapAnnotation records. If the user lacks access, the API should return a 403 Forbidden or 404 Not Found.
Actual Behavior: The API processes the request purely based on the presence of the repositoryId and returns the annotations, exposing sensitive and private data to unauthorized users.
Impact:
Confidentiality Loss: Private, repository-specific discussions, notes, and code annotations can be leaked to unauthorized third parties.
Data Exposure: Threat actors can scrape annotations across all repositories by systematically incrementing the repositoryId parameter.
Suggested Remediation: Update the GET method in app/api/annotations/route.ts to include an authorization check prior to executing the prisma.mapAnnotation.findMany query. You can achieve this by using the existing permission utility (e.g., enforceRepositoryPermission or verifying the repository's userId matches the authenticated session) to validate read access.