Security Fix 7: Checklist create IDOR: cardId not verified against boardId.

Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !
2026-01-03 08:08:49 +01:00 · 2025-12-29 16:58:26 +02:00 · 2025-12-29 16:58:26 +02:00 · 5cd875813f
commit 5cd875813f
parent 08a6f084eb
1 changed files with 42 additions and 0 deletions
--- a/models/checklists.js
+++ b/models/checklists.js
@ -290,6 +290,20 @@ if (Meteor.isServer) {
      const paramBoardId = req.params.boardId;
      const paramCardId = req.params.cardId;
      Authentication.checkBoardAccess(req.userId, paramBoardId);
+
+      // Verify the card belongs to the board
+      const card = ReactiveCache.getCard({
+        _id: paramCardId,
+        boardId: paramBoardId,
+      });
+      if (!card) {
+        JsonRoutes.sendResult(res, {
+          code: 404,
+          data: { error: 'Card not found or does not belong to the specified board' },
+        });
+        return;
+      }
+
      const checklists = ReactiveCache.getChecklists({ cardId: paramCardId }).map(function(
        doc,
      ) {
@ -335,6 +349,20 @@ if (Meteor.isServer) {
      const paramChecklistId = req.params.checklistId;
      const paramCardId = req.params.cardId;
      Authentication.checkBoardAccess(req.userId, paramBoardId);
+
+      // Verify the card belongs to the board
+      const card = ReactiveCache.getCard({
+        _id: paramCardId,
+        boardId: paramBoardId,
+      });
+      if (!card) {
+        JsonRoutes.sendResult(res, {
+          code: 404,
+          data: { error: 'Card not found or does not belong to the specified board' },
+        });
+        return;
+      }
+
      const checklist = ReactiveCache.getChecklist({
        _id: paramChecklistId,
        cardId: paramCardId,
@ -384,6 +412,20 @@ if (Meteor.isServer) {
      const addPermission = allowIsBoardMemberCommentOnly(req.userId, board);
      Authentication.checkAdminOrCondition(req.userId, addPermission);
      const paramCardId = req.params.cardId;
+
+      // Verify the card belongs to the board
+      const card = ReactiveCache.getCard({
+        _id: paramCardId,
+        boardId: paramBoardId,
+      });
+      if (!card) {
+        JsonRoutes.sendResult(res, {
+          code: 404,
+          data: { error: 'Card not found or does not belong to the specified board' },
+        });
+        return;
+      }
+
      const id = Checklists.insert({
        title: req.body.title,
        cardId: paramCardId,