Skip to content

fix: validate default_environment_id belongs to project#2024

Merged
simplesagar merged 2 commits intomainfrom
sagar/age-1624-bug-validate-default_environment_id-belongs-to-project
Mar 30, 2026
Merged

fix: validate default_environment_id belongs to project#2024
simplesagar merged 2 commits intomainfrom
sagar/age-1624-bug-validate-default_environment_id-belongs-to-project

Conversation

@simplesagar
Copy link
Copy Markdown
Member

@simplesagar simplesagar commented Mar 29, 2026

Summary

  • Validates that default_environment_id belongs to the caller's project before storing it in MCP metadata, closing a latent IDOR-adjacent security vulnerability
  • Uses the existing GetEnvironmentByID query which scopes by project_id and filters soft-deleted records
  • Returns a 400 Bad Request if the environment is not found in the project

Closes AGE-1624

Test plan

  • Added TestService_SetMcpMetadata_DefaultEnvironmentID_Valid — accepts an environment that belongs to the project
  • Added TestService_SetMcpMetadata_DefaultEnvironmentID_WrongProject — rejects an environment from a different project with CodeBadRequest
  • Existing tests continue to pass

🤖 Generated with Claude Code


Open with Devin

Closes AGE-1624. The SetMcpMetadata RPC accepted any valid UUID for
default_environment_id without checking it belonged to the caller's
project. Now queries GetEnvironmentByID scoped to project_id before
persisting, returning a 400 if the environment is not found.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented Mar 29, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
gram-docs-redirect Ready Ready Preview, Comment Mar 29, 2026 3:39pm

Request Review

@linear
Copy link
Copy Markdown

linear Bot commented Mar 29, 2026

Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Mar 29, 2026

🦋 Changeset detected

Latest commit: 5d1a2f0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
server Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@blacksmith-sh

This comment has been minimized.

@simplesagar simplesagar merged commit 7978914 into main Mar 30, 2026
53 of 54 checks passed
@simplesagar simplesagar deleted the sagar/age-1624-bug-validate-default_environment_id-belongs-to-project branch March 30, 2026 22:06
@github-actions github-actions Bot locked and limited conversation to collaborators Mar 30, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants