Skip to content

📝 Add docstrings to fix-cve-2025-63783-idor #3063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
coderabbitai wants to merge 2 commits into
base: main
Choose a base branch
from
Open

📝 Add docstrings to fix-cve-2025-63783-idor #3063

coderabbitai wants to merge 2 commits into from
+44 −2

Conversation

@coderabbitai
Copy link

@coderabbitai coderabbitai bot commented Dec 14, 2025
edited by ellipsis-dev bot
Loading

Docstrings generation was requested by @drfarrell.

The following files were modified:

  • apps/web/client/src/server/api/routers/project/helper.ts
ℹ️ Note

CodeRabbit cannot perform edits on its own pull requests yet.

Important

Add docstrings to extractCsbPort() and verifyProjectAccess() in helper.ts for improved documentation.

  • Docstrings:
    • Added docstring to extractCsbPort() in helper.ts, describing its purpose, parameters, and return value.
    • Added docstring to verifyProjectAccess() in helper.ts, detailing its parameters, return value, and exceptions thrown.

This description was created by Ellipsis for b713556. You can customize this summary. It will automatically update as commits are pushed.

drfarrell and others added 2 commits December 13, 2025 22:57
@drfarrell @claude
Fix CVE-2025-63783: Add authorization checks to project mutation APIs
6fb93b3 
This commit addresses a critical Broken Object Level Authorization (BOLA)
vulnerability where authenticated users could modify, delete, or manipulate
tags on projects they don't own by sending requests with arbitrary project IDs.

Changes:
- Add verifyProjectAccess() helper function to verify user project membership
- Add authorization checks to delete, update, addTag, and removeTag mutations
- Ensure all project mutations verify ownership before performing operations

The fix validates that the authenticated user has access to the project via
the userProjects junction table before allowing any mutation operations.

Security Impact: Prevents unauthorized users from modifying or deleting
projects that don't belong to them.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@coderabbitai
📝 Add docstrings to fix-cve-2025-63783-idor
b713556 
Docstrings generation was requested by @drfarrell.

* #3062 (comment)

The following files were modified:

* `apps/web/client/src/server/api/routers/project/helper.ts`
@coderabbitai coderabbitai bot requested a review from drfarrell December 14, 2025 07:05
@vercel
Copy link

vercel bot commented Dec 14, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
web-onlook Ready Ready Preview, Comment Dec 14, 2025 7:08am
1 Skipped Deployment
Project Deployment Review Updated (UTC)
docs-onlook Skipped Skipped Dec 14, 2025 7:08am

@vercel vercel bot temporarily deployed to Preview – docs-onlook December 14, 2025 07:05 Inactive
@coderabbitai
Copy link
Author

coderabbitai bot commented Dec 14, 2025

Important

Review skipped

CodeRabbit bot authored PR detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai bot mentioned this pull request Dec 14, 2025
Merged
@supabase
Copy link

supabase bot commented Dec 14, 2025

This pull request has been ignored for the connected project wowaemfasoptxrdjhilu because there are no changes detected in apps/backend/supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

Base automatically changed from fix-cve-2025-63783-idor to main December 14, 2025 07:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drfarrell drfarrell Awaiting requested review from drfarrell

Assignees

@drfarrell drfarrell

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@drfarrell