Security Fix 6: Checklist delete IDOR: checklist not verified against board/card.

Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !
2025-12-30 22:28:49 +01:00 · 2025-12-29 16:54:04 +02:00 · 2025-12-29 16:54:04 +02:00 · 08a6f084eb
commit 08a6f084eb
parent 181f837d8c
1 changed files with 28 additions and 0 deletions
--- a/models/checklists.js
+++ b/models/checklists.js
@ -436,8 +436,36 @@ if (Meteor.isServer) {
    '/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
    function(req, res) {
      const paramBoardId = req.params.boardId;
+      const paramCardId = req.params.cardId;
      const paramChecklistId = req.params.checklistId;
      Authentication.checkBoardAccess(req.userId, paramBoardId);
+
+      // Verify the card belongs to the board
+      const card = ReactiveCache.getCard({
+        _id: paramCardId,
+        boardId: paramBoardId,
+      });
+      if (!card) {
+        JsonRoutes.sendResult(res, {
+          code: 404,
+          data: { error: 'Card not found or does not belong to the specified board' },
+        });
+        return;
+      }
+
+      // Verify the checklist exists and belongs to the card
+      const checklist = ReactiveCache.getChecklist({
+        _id: paramChecklistId,
+        cardId: paramCardId,
+      });
+      if (!checklist) {
+        JsonRoutes.sendResult(res, {
+          code: 404,
+          data: { error: 'Checklist not found or does not belong to the specified card' },
+        });
+        return;
+      }
+
      Checklists.remove({ _id: paramChecklistId });
      JsonRoutes.sendResult(res, {
        code: 200,