[SECURITY] fix: add tenant isolation to scorecard endpoints (critical IDOR)#2918
[SECURITY] fix: add tenant isolation to scorecard endpoints (critical IDOR)#2918namann5 wants to merge 1 commit into
Conversation
…IDOR)
Scorecard endpoints authenticated users via Bearer token but never
verified the user belonged to the requested company_id. This allowed
any authenticated user to view any company's agent performance data
and force-refresh any agent's scorecard across tenant boundaries.
Added _verify_tenant_access() that:
- Looks up the authenticated user's company_id from profiles table
- Compares it against the requested company_id
- Returns 403 Forbidden on cross-tenant access
Applied to all three endpoints: GET /company/{id}, GET /agent/{id},
POST /refresh/{agent_id}.
|
@namann5 is attempting to deploy a commit to the ritesh Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bb40df4331
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
1 participant
🔒 Security Fix: Tenant Isolation for Scorecard Endpoints
Fixes #2917
Vulnerability
All
/api/scorecard/*endpoints authenticated users but never verified they belonged to the requestedcompany_id. Any authenticated user could:Fix
Added
_verify_tenant_access()that looks up the authenticated user's company_id from the profiles table and compares it against the requested company_id. Returns 403 Forbidden on cross-tenant access.Verification
backend/scorecard_router.pychangedSeverity: Critical — CVSS 7.5 (IDOR / Broken Access Control)
Level:
critical|advanced