Skip to content

Vulnerability/sc 246 information disclosure on openproject through api v3 work packages 2 via http method patch api v3 work packages id workpackagerepresenter cache#23971

Open
EinLama wants to merge 2 commits into
release/17.6from
vulnerability/sc-246-information-disclosure-on-openproject-through-api-v3-work_packages-2-via-http-method-patch-api-v3-work_packages-id-workpackagerepresenter-cache
Open

Vulnerability/sc 246 information disclosure on openproject through api v3 work packages 2 via http method patch api v3 work packages id workpackagerepresenter cache#23971
EinLama wants to merge 2 commits into
release/17.6from
vulnerability/sc-246-information-disclosure-on-openproject-through-api-v3-work_packages-2-via-http-method-patch-api-v3-work_packages-id-workpackagerepresenter-cache

Conversation

@EinLama

@EinLama EinLama commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Ticket

https://community.openproject.org/wp/SC-246

What are you trying to accomplish?

Fixes the API cache for budgets so that users with lacking permissions don't receive a resource with information they are not allowed to see.

I also double checked that project custom fields are not affected by this vulnerability since they explicitly include their permission check into the cache key.

What approach did you choose and why?

Apply a link_cache_if condition similar to sprints. Same for the getter. Added a spec to verify the regression.

Merge checklist

  • Added/updated tests
  • Added/updated documentation in Lookbook (patterns, previews, etc)
  • Tested major browsers (Chrome, Firefox, Edge, ...)

@github-actions

Copy link
Copy Markdown

Warning

Flaky specs

  • rspec ./modules/backlogs/spec/features/backlogs/start_finish_spec.rb[1:2:2:2]
🤖 Ask Copilot to investigate

Copy the prompt below into a new comment on this PR to delegate the investigation to GitHub Copilot. It will look into the flakiness and open a separate pull request with you as reviewer.

@copilot The following spec(s) are flaky in CI (first seen on PR #23971, linked for reference only):

- `rspec ./modules/backlogs/spec/features/backlogs/start_finish_spec.rb[1:2:2:2]`

Treat this as a standalone task, unrelated to PR #23971. Create a new branch from origin/dev and open a new pull request targeting dev — do not stack it on PR #23971 or reuse that branch.

Follow the playbook in docs/development/testing/handling-flaky-tests/README.md to find the root cause and fix the underlying race — do not skip, delete, or weaken the spec to make it pass; disabling is a last resort per the playbook, and only with a bug ticket. Verify the fix by running the spec(s) repeatedly (e.g. `script/bulk_run_rspec --run-count 10`).

If you cannot reproduce the flake or are not confident in a fix after reasonable investigation, do not fabricate a change or skip the spec to force CI green. Instead, leave the pull request in draft and document what you tried, the suspected cause, and any leads in its description, then assign @EinLama to take over.

Once the fix is verified, title the PR after the spec(s) it fixes, and use the PR description to explain the root cause, how the change resolves it, and the before/after results. Label the PR `flaky-spec`, assign @EinLama, and request a review from @EinLama.
On every commit, set @EinLama as the sole co-author with a `Co-authored-by:` trailer (use their GitHub no-reply email so it links to their account), so it is traceable who dispatched the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant