fix: prevent IDOR vulnerability in environment update endpoint

gagantrivedi · gagantrivedi · commit 90b1762d38d5 · 2025-12-08T14:14:25.000+05:30
Make the `project` field read-only during environment updates to prevent
attackers from moving an environment to a different project they don't own.

The vulnerability allowed an attacker with access to their own environment
to modify the `project` field in the PUT request body, effectively moving
their environment into a victim's project.

Fix: Override __init__ in CreateUpdateEnvironmentSerializer to set
project field as read-only when instance exists (update operation).
diff --git a/api/environments/serializers.py b/api/environments/serializers.py
@@ -130,6 +130,12 @@ class Meta(EnvironmentSerializerWithMetadata.Meta):
             )
         ]
 
+    def __init__(self, *args: Any, **kwargs: Any) -> None:
+        super().__init__(*args, **kwargs)  # type: ignore[no-untyped-call]
+        # Prevent IDOR: project cannot be changed after creation
+        if self.instance is not None:
+            self.fields["project"].read_only = True
+
     def get_subscription(self) -> Subscription | None:
         view = self.context["view"]
 
diff --git a/api/tests/unit/environments/test_unit_environments_views.py b/api/tests/unit/environments/test_unit_environments_views.py
@@ -1083,6 +1083,38 @@ def test_environment_update_cannot_change_is_creating(
     assert response.json()["is_creating"] is False
 
 
+def test_environment_update_cannot_change_project(
+    environment: Environment,
+    project: Project,
+    organisation: Organisation,
+    admin_client_new: APIClient,
+) -> None:
+    # Given - an environment in the original project
+    original_project = project
+    url = reverse("api-v1:environments:environment-detail", args=[environment.api_key])
+
+    # and a different project
+    other_project = Project.objects.create(
+        name="Other Project", organisation=organisation
+    )
+
+    data = {
+        "project": other_project.id,
+        "name": environment.name,
+    }
+
+    # When
+    response = admin_client_new.put(
+        url, data=json.dumps(data), content_type="application/json"
+    )
+
+    # Then - the project should NOT change
+    assert response.status_code == status.HTTP_200_OK
+    environment.refresh_from_db()
+    assert environment.project_id == original_project.id
+    assert response.json()["project"] == original_project.id
+
+
 def test_get_document(
     environment: Environment,
     project: Project,

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,12 @@ class Meta(EnvironmentSerializerWithMetadata.Meta):`
`130`	`130`	`)`
`131`	`131`	`]`
`132`	`132`
	`133`	`+ def __init__(self, args: Any, *kwargs: Any) -> None:`
	`134`	`+ super().__init__(args, *kwargs) # type: ignore[no-untyped-call]`
	`135`	`+ # Prevent IDOR: project cannot be changed after creation`
	`136`	`+ if self.instance is not None:`
	`137`	`+ self.fields["project"].read_only = True`
	`138`	`+`
`133`	`139`	`def get_subscription(self) -> Subscription \| None:`
`134`	`140`	`view = self.context["view"]`
`135`	`141`