diff --git a/reports/account-deletion-idor-placeholder.md b/reports/account-deletion-idor-placeholder.md new file mode 100644 index 00000000..e42bf494 --- /dev/null +++ b/reports/account-deletion-idor-placeholder.md @@ -0,0 +1,24 @@ +# Placeholder Submission for Issue #58: IDOR on Account Deletion + +This pull request serves as a placeholder for the vulnerability reported at: [AIxBlock-2023#58](https://github.com/AIxBlock-2023/awesome-ai-dev-platform-opensource/issues/58) + +The issue describes an Insecure Direct Object Reference (IDOR) vulnerability in the account deletion endpoint: DELETE https://app.aixblock.io/api/users/{user_id} + +Any authenticated user can delete another user's account by changing the `user_id` in the request. The server does not verify whether the requestor actually owns the account, and it deletes the target account permanently without any confirmation or access control validation. + +** Proposed Fix ** + +To mitigate this vulnerability: + +- Implement strict authorization checks so that only the **account owner** can initiate a deletion request for their own account. +- If a user attempts to delete another user's account, return a `403 Forbidden` error with a clear message. + +### Example Unauthorized Response: + +```http +HTTP/2 403 Forbidden +{ + "status_code": 403, + "detail": "You are not allowed to delete this account." +} + diff --git a/reports/internal-metadata-exposure.md b/reports/internal-metadata-exposure.md new file mode 100644 index 00000000..f93c4a07 --- /dev/null +++ b/reports/internal-metadata-exposure.md @@ -0,0 +1,7 @@ +This pull request is a placeholder related to the infrastructure metadata exposure issue I reported in issue #116. + +The endpoint `https://app.aixblock.io/api/settings/installation-service/` reveals internal configuration data such as Docker image names, environment types, registry URLs, and version info — all of which should ideally be restricted to internal or admin roles. + +This placeholder commit is made from my fork as part of the official submission requirements. + +Looking forward to any feedback or next steps. Thank you!