fix: validate default_environment_id belongs to project#2024
Merged
simplesagar merged 2 commits intomainfrom Mar 30, 2026
Merged
Conversation
Closes AGE-1624. The SetMcpMetadata RPC accepted any valid UUID for default_environment_id without checking it belonged to the caller's project. Now queries GetEnvironmentByID scoped to project_id before persisting, returning a 400 if the environment is not found. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
🦋 Changeset detectedLatest commit: 5d1a2f0 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This comment has been minimized.
This comment has been minimized.
chase-crumbaugh
approved these changes
Mar 30, 2026
simplesagar
deleted the
sagar/age-1624-bug-validate-default_environment_id-belongs-to-project
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
default_environment_idbelongs to the caller's project before storing it in MCP metadata, closing a latent IDOR-adjacent security vulnerabilityGetEnvironmentByIDquery which scopes byproject_idand filters soft-deleted records400 Bad Requestif the environment is not found in the projectCloses AGE-1624
Test plan
TestService_SetMcpMetadata_DefaultEnvironmentID_Valid— accepts an environment that belongs to the projectTestService_SetMcpMetadata_DefaultEnvironmentID_WrongProject— rejects an environment from a different project withCodeBadRequest🤖 Generated with Claude Code