mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 06:08:33 -05:00
[PR #3214] [MERGED] Prevent cross-org site binding in target create/update #26861
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/fosrl/pangolin/pull/3214
Author: @marcschaeferger
Created: 6/4/2026
Status: ✅ Merged
Merged: 6/4/2026
Merged by: @oschwartz10612
Base:
dev← Head:dev📝 Commits (2)
5162924fix(middleware): prevent cross-org site binding in target create/updatef617f93test(middleware): add regression tests for cross-org site binding prevention📊 Changes
3 files changed (+336 additions, -5 deletions)
View changed files
➕
server/middlewares/verifySiteAccess.test.ts(+322 -0)📝
server/middlewares/verifySiteAccess.ts(+10 -4)📝
server/routers/external.ts(+4 -1)📄 Description
Description
This pull request strengthens cross-organization security checks for site access and adds comprehensive tests to prevent privilege escalation attacks when binding resources or targets to sites across different organizations. The main improvements include enforcing organization consistency in middleware, updating route stacks to ensure proper middleware order, and adding thorough tests for the new logic.
Security enforcement and middleware logic:
verifySiteAccessto reject requests if the loaded site'sorgIddoes not matchreq.userOrgId, preventing cross-organization binding attacks.PUT /resource/:resourceId/targetandPOST /target/:targetIdto ensureverifySiteAccessruns afterverifyResourceAccessorverifyTargetAccess, respectively, enforcing the new org consistency check [1] [2].Testing and validation:
verifySiteAccess.test.tsthat covers org-matching logic, cross-org rejection, route stack ordering, and security scenarios to ensure the new protections work as intended.Minor improvements:
external.tsfor rate limiting configuration.verifySiteAccess.ts.Note:
PR Titel and Description generated by AI (Copilot)
Test File generated by AI but checked and slightly modified
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.