Skip to content

fix: block .da-versions access through the generic source/list/delete routes#302

Merged
kptdobe merged 4 commits into
mainfrom
da-versions-source-route-guard
Jul 16, 2026
Merged

fix: block .da-versions access through the generic source/list/delete routes#302
kptdobe merged 4 commits into
mainfrom
da-versions-source-route-guard

Conversation

@benpeter

Copy link
Copy Markdown
Contributor

The generic source/list/delete routes have a guard that should keep them out of version storage. It matched only a leading .da-versions. But version bodies and audit logs live at {org}/{repo}/.da-versions/{fileId}/..., and daCtx.key is org-stripped. So the key starts with {repo}/. The guard did not fire. Any authorized org member could reach version storage through /source. They could read, delete, or forge the version history and audit log of a document their ACL forbids. The guard broke when versions moved to the repo-scoped layout (#253). src/index.js was not updated.

The fix matches .da-versions as any path segment of the key, not only the first. /versionsource and /versionlist are not affected. They build the physical key later, in the storage layer. Their daCtx.key has no .da-versions segment. Ordinary content and the legacy org-root layout stay covered.

Tests: the generic routes now return 404 on .da-versions paths (was 200). Unit tests cover the read, write, and list vectors. A live integration check shows the leak before the fix and 404 after.

benpeter added 4 commits July 15, 2026 17:41
…utes

The router guard only matches a leading '.da-versions', but version and
audit objects are stored at the repo-scoped key '{repo}/.da-versions/...'.
daCtx.key is org-stripped, so it starts with '{repo}/' and the guard never
fires - the generic source/list/delete routes reach raw version and audit
storage. These tests drive GET/DELETE/list at a .da-versions path and expect
404; they fail (200) against the current guard.
Version bodies and audit logs are stored at the repo-scoped R2 key
'{org}/{repo}/.da-versions/{fileId}/...'. The router guard that is meant to
keep the generic source/list/delete routes out of that storage only matched
a leading '.da-versions', but daCtx.key is org-stripped and so begins with
'{repo}/'. The guard stopped firing when versions moved from the org-root
layout to the repo-scoped one, letting any authorized org member read version
history and audit logs of documents their ACL forbids, and delete or forge
the audit log through the generic routes.

Match '.da-versions' as any path segment of the org-stripped key. The
ACL-aware versionsource/versionlist routes build the physical key internally
and never carry a '.da-versions' segment in daCtx.key, so they are unaffected;
ordinary content paths are unaffected. The legacy org-root layout stays covered
as the first segment.
…ions

Adds two integration assertions after page creation: the generic list route
on the reserved .da-versions folder and a write+read through the generic source
route both return 404. Against the stale guard the list returns 200 and leaks
the audit/version entries; the fix makes both 404.
…substring)

Adds three regression locks: the legacy org-root '.da-versions' first-segment
layout still 404s, a POST write to a .da-versions audit key 404s (the forge
vector), and a path segment that merely contains 'da-versions'
('my-da-versions-notes') still dispatches - pinning segment-exact matching so a
future change to a substring check would fail loudly.
@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@kptdobe kptdobe merged commit 3d74efa into main Jul 16, 2026
6 checks passed
@kptdobe kptdobe deleted the da-versions-source-route-guard branch July 16, 2026 06:39
adobe-bot pushed a commit that referenced this pull request Jul 16, 2026
## [1.12.4](v1.12.3...v1.12.4) (2026-07-16)

### Bug Fixes

* block .da-versions access through the generic source/list/delete routes ([#302](#302)) ([3d74efa](3d74efa))
@adobe-bot

Copy link
Copy Markdown
Collaborator

🎉 This PR is included in version 1.12.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants