Scope mothership updateSoftwareRelease to the caller's container#7763
Merged
labkey-martyp merged 2 commits intoJun 18, 2026
Merged
Conversation
MothershipManager.updateSoftwareRelease did a raw Table.update keyed only on the primary key with no container filter, and set the bean's container to the caller's folder. A user with UpdatePermission in one folder could therefore edit and re-home a SoftwareRelease owned by another folder via an attacker-supplied softwareReleaseId on the bean-bound update form. This adds a container-scoped getSoftwareRelease lookup and verifies the target row belongs to the caller's container before updating, throwing NotFoundException otherwise. Also fix an incidental NPE in BulkUpdateAction where updateExceptionStackTrace was called even when the container-scoped lookup returned null; the call now happens only inside the null check.
Contributor
Author
|
@josheckels This is a low risk issue. The ROI on an integration test setting up multiple containers seems too low. |
labkey-jeckels
approved these changes
Jun 17, 2026
…fb_mothership_release_container
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rationale
MothershipManager.updateSoftwareRelease performed a raw Table.update keyed only on the SoftwareRelease primary key, with no container filter, and reassigned the row's container to the caller's folder. Because the update form binds softwareReleaseId directly from the request and UpdateAction only checks UpdatePermission against the current folder, a user with update rights in one folder could edit — and re-home into their own folder — a SoftwareRelease owned by another folder. This scopes the update to the caller's container so only rows that already belong to that folder can be modified.
Related Pull Requests
Changes