fix: block .da-versions access through the generic source/list/delete routes#302
Merged
Conversation
…utes
The router guard only matches a leading '.da-versions', but version and
audit objects are stored at the repo-scoped key '{repo}/.da-versions/...'.
daCtx.key is org-stripped, so it starts with '{repo}/' and the guard never
fires - the generic source/list/delete routes reach raw version and audit
storage. These tests drive GET/DELETE/list at a .da-versions path and expect
404; they fail (200) against the current guard.
Version bodies and audit logs are stored at the repo-scoped R2 key
'{org}/{repo}/.da-versions/{fileId}/...'. The router guard that is meant to
keep the generic source/list/delete routes out of that storage only matched
a leading '.da-versions', but daCtx.key is org-stripped and so begins with
'{repo}/'. The guard stopped firing when versions moved from the org-root
layout to the repo-scoped one, letting any authorized org member read version
history and audit logs of documents their ACL forbids, and delete or forge
the audit log through the generic routes.
Match '.da-versions' as any path segment of the org-stripped key. The
ACL-aware versionsource/versionlist routes build the physical key internally
and never carry a '.da-versions' segment in daCtx.key, so they are unaffected;
ordinary content paths are unaffected. The legacy org-root layout stays covered
as the first segment.
…ions Adds two integration assertions after page creation: the generic list route on the reserved .da-versions folder and a write+read through the generic source route both return 404. Against the stale guard the list returns 200 and leaks the audit/version entries; the fix makes both 404.
…substring)
Adds three regression locks: the legacy org-root '.da-versions' first-segment
layout still 404s, a POST write to a .da-versions audit key 404s (the forge
vector), and a path segment that merely contains 'da-versions'
('my-da-versions-notes') still dispatches - pinning segment-exact matching so a
future change to a substring check would fail loudly.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
kptdobe
approved these changes
Jul 16, 2026
adobe-bot
pushed a commit
that referenced
this pull request
Jul 16, 2026
## [1.12.4](v1.12.3...v1.12.4) (2026-07-16) ### Bug Fixes * block .da-versions access through the generic source/list/delete routes ([#302](#302)) ([3d74efa](3d74efa))
Collaborator
|
🎉 This PR is included in version 1.12.4 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The generic
source/list/deleteroutes have a guard that should keep them out of version storage. It matched only a leading.da-versions. But version bodies and audit logs live at{org}/{repo}/.da-versions/{fileId}/..., anddaCtx.keyis org-stripped. So the key starts with{repo}/. The guard did not fire. Any authorized org member could reach version storage through/source. They could read, delete, or forge the version history and audit log of a document their ACL forbids. The guard broke when versions moved to the repo-scoped layout (#253).src/index.jswas not updated.The fix matches
.da-versionsas any path segment of the key, not only the first./versionsourceand/versionlistare not affected. They build the physical key later, in the storage layer. TheirdaCtx.keyhas no.da-versionssegment. Ordinary content and the legacy org-root layout stay covered.Tests: the generic routes now return 404 on
.da-versionspaths (was 200). Unit tests cover the read, write, and list vectors. A live integration check shows the leak before the fix and 404 after.