HIGH: Payment UPDATE/DELETE lack user_id in WHERE clause (defense-in-depth) #72
Labels
No Label
architecture
backend
bug
feature
frontend
priority:critical
priority:high
priority:low
priority:medium
priority:nice-to-have
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/BillTracker#72
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
After verifying ownership via a JOIN query, the subsequent UPDATE and DELETE operations on payments use only the payment id in the WHERE clause, without including user_id:
UPDATE payments SET ... WHERE id = ?
DELETE FROM payments WHERE id = ?
The ownership check happens first via a JOIN (payments JOIN bills WHERE b.user_id = ?), so this is not currently exploitable. However, its a defense-in-depth violation:
Affected Code
Impact
Defense-in-depth gap. If the initial ownership check were ever bypassed or code restructured, payments could be modified across user boundaries.
Recommended Fix
Add AND bill_id IN (SELECT id FROM bills WHERE user_id = ?) to all payment UPDATE/DELETE statements, or re-fetch the payment through the ownership JOIN after mutation.
closed v0.34.2.1