IDOR in Purchases#send_invoice allows sending invoices for arbitrary purchases #8
Description
The POST /purchases/:id/send_invoice route is vulnerable to an Insecure Direct Object Reference (IDOR). The send_invoice action and the set_purchase before_action fetch a Purchase object based on the user-supplied :id parameter without adequate authorization checks. Although an email confirmation check is present, it is insufficient for robust object-level access control.
Vulnerable Code:
Likely in set_purchase (a before_action for send_invoice):
@purchase = Purchase.find_by_external_id(params[:id]) # Or similarIn send_invoice:
def send_invoice
@chargeable = Charge::Chargeable.find_by_purchase_or_charge!(purchase: @purchase)
# ... invoice generation and sending logic ...
endVulnerability:
An attacker can supply a valid purchase ID they do not own in the URL and, if they know the associated email address, trigger the invoice generation and sending process for that purchase.
Reproduction Steps:
- Obtain a valid purchase ID (
:id) and the associated email address for a purchase not owned by the attacker. - Send a POST request to
/purchases/:id/send_invoicewith the victim's purchase ID in the URL and the victim's email in the request body.
Impact:
An attacker can send invoices for purchases they do not own, potentially leading to information leakage or other unintended consequences depending on the invoice content and delivery method.
Recommendation:
Implement robust object-level authorization in the set_purchase before_action or within the send_invoice action to ensure that only authorized users (e.g., the buyer or the seller of the product) can access and send invoices for a given purchase. This should involve checking the current_user against the @purchase object's ownership or associated users.