[PR #2578] [MERGED] fix(labels): fix access-control query leak in label reads (GHSA-hj5c-mhh2-g7jq) #10095

New Issue

GiteaMirror · 2026-04-23T09:23:42-05:00

GiteaMirror commented

2026-04-23 09:23:42 -05:00

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/2578
Author: @tink-bot
Created: 4/9/2026
Status: ✅ Merged
Merged: 4/9/2026
Merged by: @kolaente

Base: main ← Head: fix-label-access-sql-precedence

📝 Commits (2)

6906857 fix(labels): correct broken access-control query for label reads (GHSA-hj5c-mhh2-g7jq)
c7711cf fix(labels): derive label max permission from accessible tasks only

📊 Changes

4 files changed (+194 additions, -30 deletions)

View changed files

📝 pkg/db/fixtures/label_tasks.yml (+12 -1)
📝 pkg/db/fixtures/labels.yml (+20 -0)
📝 pkg/models/label_permissions.go (+59 -19)
📝 pkg/models/label_test.go (+103 -10)

📄 Description

hasAccessToLabel chained .Where/.Or/.And on the xorm session, which flattened to WHERE A OR B OR C AND D. Under SQL precedence that evaluates as A OR B OR (C AND D), so the labels.id = ? scope only narrowed one branch — the other two branches leaked every label with any label_tasks row and every label the caller had ever created, regardless of the requested id.

The query is now built with explicit builder.And / builder.Or grouping so the label-id scope wraps the full disjunction. The bogus label_tasks.label_id IS NOT NULL branch is removed, the creator branch is restricted to real user auths, and Exist(ll) becomes Get(ll) so the follow-up Task.CanRead permission computation actually runs; the creator-only path falls back to PermissionRead.

Regression coverage adds fixture label #6 (private, task #34 in project #20) and label #7 (created by user #1, unattached) with explicit allow/deny assertions in TestLabel_ReadOne, and updates TestLabel_ReadAll expectations accordingly.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/2578 **Author:** [@tink-bot](https://github.com/tink-bot) **Created:** 4/9/2026 **Status:** ✅ Merged **Merged:** 4/9/2026 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `fix-label-access-sql-precedence` --- ### 📝 Commits (2) - [`6906857`](https://github.com/go-vikunja/vikunja/commit/6906857cfe8fcf216c7394c0b736648c38fe2401) fix(labels): correct broken access-control query for label reads (GHSA-hj5c-mhh2-g7jq) - [`c7711cf`](https://github.com/go-vikunja/vikunja/commit/c7711cf3fa215f0be05e49f954c910818e646ebe) fix(labels): derive label max permission from accessible tasks only ### 📊 Changes **4 files changed** (+194 additions, -30 deletions) <details> <summary>View changed files</summary> 📝 `pkg/db/fixtures/label_tasks.yml` (+12 -1) 📝 `pkg/db/fixtures/labels.yml` (+20 -0) 📝 `pkg/models/label_permissions.go` (+59 -19) 📝 `pkg/models/label_test.go` (+103 -10) </details> ### 📄 Description `hasAccessToLabel` chained `.Where`/`.Or`/`.And` on the xorm session, which flattened to `WHERE A OR B OR C AND D`. Under SQL precedence that evaluates as `A OR B OR (C AND D)`, so the `labels.id = ?` scope only narrowed one branch — the other two branches leaked every label with any `label_tasks` row and every label the caller had ever created, regardless of the requested id. The query is now built with explicit `builder.And` / `builder.Or` grouping so the label-id scope wraps the full disjunction. The bogus `label_tasks.label_id IS NOT NULL` branch is removed, the creator branch is restricted to real user auths, and `Exist(ll)` becomes `Get(ll)` so the follow-up `Task.CanRead` permission computation actually runs; the creator-only path falls back to `PermissionRead`. Regression coverage adds fixture label #6 (private, task #34 in project #20) and label #7 (created by user #1, unattached) with explicit allow/deny assertions in `TestLabel_ReadOne`, and updates `TestLabel_ReadAll` expectations accordingly. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-23 09:23:42 -05:00

GiteaMirror closed this issue

2026-04-23 09:23:43 -05:00

Sign in to join this conversation.

Branches Tags

main

renovate/dev-dependencies

feat-v2-foundation

dependabot/npm_and_yarn/frontend/axios-1.15.2

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#10095