mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-30 15:18:50 +01:00
06ba025bd9
Some checks are pending
Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Waiting to run
Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Waiting to run
Docker Dev Images Build / build (Dockerfile, librechat-dev, node) (push) Waiting to run
Docker Dev Images Build / build (Dockerfile.multi, librechat-dev-api, api-build) (push) Waiting to run
Sync Locize Translations & Create Translation PR / Sync Translation Keys with Locize (push) Waiting to run
Sync Locize Translations & Create Translation PR / Create Translation PR on Version Published (push) Blocked by required conditions
Adds access control check to GET /api/permissions/:resourceType/:resourceId
endpoint to prevent unauthorized disclosure of agent permission information.
## Vulnerability Summary
LibreChat version 0.8.1-rc2 did not enforce proper access control when
querying agent permissions. Any authenticated user could read the permissions
of arbitrary agents by knowing the agent ID, even for private agents they
had no access to.
**Impact:**
- Attackers could enumerate which users have access to private agents
- Permission levels (owner, editor, viewer) were exposed
- User emails and names of permitted users were disclosed
- Agent's public/private sharing status was revealed
**Attack Vector:**
```
GET /api/permissions/agent/{agent_id}
Authorization: Bearer <any_valid_token>
```
The MongoDB ObjectId format (timestamp + process ID + counter) made it
feasible to brute-force discover valid agent IDs.
## Fix
Added `checkResourcePermissionAccess` middleware factory that enforces
SHARE permission before allowing access to permission queries. This
middleware is now applied to the GET endpoint, matching the existing
access control on the PUT endpoint.
**Before:**
```javascript
router.get('/:resourceType/:resourceId', getResourcePermissions);
```
**After:**
```javascript
router.get(
'/:resourceType/:resourceId',
checkResourcePermissionAccess(PermissionBits.SHARE),
getResourcePermissions,
);
```
The middleware handles all supported resource types:
- Agent (ResourceType.AGENT)
- Prompt Group (ResourceType.PROMPTGROUP)
- MCP Server (ResourceType.MCPSERVER)
## Code Changes
**api/server/routes/accessPermissions.js:**
- Added `checkResourcePermissionAccess()` middleware factory
- Applied middleware to GET /:resourceType/:resourceId endpoint
- Refactored PUT endpoint to use the same middleware factory (DRY)
**api/server/routes/accessPermissions.test.js:**
- Added security tests verifying unauthorized access is denied
- Tests confirm 403 Forbidden for users without SHARE permission
## Security Tests
```
✓ should deny permission query for user without access (main vulnerability test)
✓ should return 400 for unsupported resource type
✓ should deny permission update for user without access
|
||
|---|---|---|
| .. | ||
| __tests__ | ||
| agents | ||
| assistants | ||
| files | ||
| types | ||
| accessPermissions.js | ||
| accessPermissions.test.js | ||
| actions.js | ||
| auth.js | ||
| balance.js | ||
| banner.js | ||
| categories.js | ||
| config.js | ||
| convos.js | ||
| endpoints.js | ||
| index.js | ||
| keys.js | ||
| mcp.js | ||
| memories.js | ||
| messages.js | ||
| models.js | ||
| oauth.js | ||
| presets.js | ||
| prompts.js | ||
| prompts.test.js | ||
| roles.js | ||
| search.js | ||
| settings.js | ||
| share.js | ||
| static.js | ||
| tags.js | ||
| user.js | ||