The POST /purchases/:id/send_invoice route is vulnerable to an Insecure Direct Object Reference (IDOR). The send_invoice action and the set_purchase before_action fetch a Purchase object based on the user-supplied :id parameter without adequate authorization checks. Although an email confirmation check is present, it is insufficient for robust object-level access control.
Vulnerable Code:
Likely in set_purchase (a before_action for send_invoice):
@purchase = Purchase.find_by_external_id(params[:id]) # Or similar
In send_invoice:
def send_invoice
@chargeable = Charge::Chargeable.find_by_purchase_or_charge!(purchase: @purchase)
# ... invoice generation and sending logic ...
end
Vulnerability:
An attacker can supply a valid purchase ID they do not own in the URL and, if they know the associated email address, trigger the invoice generation and sending process for that purchase.
Reproduction Steps:
- Obtain a valid purchase ID (
:id) and the associated email address for a purchase not owned by the attacker.
- Send a POST request to
/purchases/:id/send_invoice with the victim's purchase ID in the URL and the victim's email in the request body.
Impact:
An attacker can send invoices for purchases they do not own, potentially leading to information leakage or other unintended consequences depending on the invoice content and delivery method.
Recommendation:
Implement robust object-level authorization in the set_purchase before_action or within the send_invoice action to ensure that only authorized users (e.g., the buyer or the seller of the product) can access and send invoices for a given purchase. This should involve checking the current_user against the @purchase object's ownership or associated users.
The
POST /purchases/:id/send_invoiceroute is vulnerable to an Insecure Direct Object Reference (IDOR). Thesend_invoiceaction and theset_purchasebefore_action fetch aPurchaseobject based on the user-supplied:idparameter without adequate authorization checks. Although an email confirmation check is present, it is insufficient for robust object-level access control.Vulnerable Code:
Likely in
set_purchase(abefore_actionforsend_invoice):In
send_invoice:Vulnerability:
An attacker can supply a valid purchase ID they do not own in the URL and, if they know the associated email address, trigger the invoice generation and sending process for that purchase.
Reproduction Steps:
:id) and the associated email address for a purchase not owned by the attacker./purchases/:id/send_invoicewith the victim's purchase ID in the URL and the victim's email in the request body.Impact:
An attacker can send invoices for purchases they do not own, potentially leading to information leakage or other unintended consequences depending on the invoice content and delivery method.
Recommendation:
Implement robust object-level authorization in the
set_purchasebefore_action or within thesend_invoiceaction to ensure that only authorized users (e.g., the buyer or the seller of the product) can access and send invoices for a given purchase. This should involve checking thecurrent_useragainst the@purchaseobject's ownership or associated users.