Skip to content

Fix dispatch log data leak for deleted items (#248)#258

Open
boot-coco wants to merge 1 commit intodevelopfrom
fix/248-dispatch-log-null-check
Open

Fix dispatch log data leak for deleted items (#248)#258
boot-coco wants to merge 1 commit intodevelopfrom
fix/248-dispatch-log-null-check

Conversation

@boot-coco
Copy link
Contributor

@boot-coco boot-coco commented Mar 9, 2026

Summary

  • Fixes Dispatch log endpoints leak data for deleted items (missing null check) #248: Dispatch log endpoints leaked data for deleted items due to missing null check
  • Both GET /api/v2/distributions/:item_id and POST .../retry had an access control guard that only ran when item was truthy — when an item was deleted (null), the guard was skipped entirely
  • Added explicit if (!item) return 404 before the access check in both endpoints

Changes

  • server/index.js: Added null check for item before access control in GET and POST dispatch log endpoints

Test plan

  • Call GET /api/v2/distributions/<deleted_item_id> — should return 404
  • Call POST /api/v2/distributions/<deleted_item_id>/retry — should return 404
  • Call both endpoints with a valid item belonging to a different app — should return 403
  • Call both endpoints with a valid item belonging to the caller's app — should succeed as before

🤖 Generated with Claude Code

@boot-coco @claude
fix: return 404 for deleted items in dispatch log endpoints (#248)
468d0ba 
Both GET /api/v2/distributions/:item_id and POST .../retry had a flawed
access check that only ran when `item` was truthy. When an item was
deleted (null), the check was skipped entirely, leaking dispatch logs
and allowing retry triggers for any authenticated user.

Add an explicit null check before the access control guard so deleted
items return 404 immediately.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jessie-coco
jessie-coco approved these changes Mar 9, 2026
View reviewed changes
Copy link
Contributor

@jessie-coco jessie-coco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex Review R1: CLEAN

0 P1 + 0 P2 + 0 P3 — no issues found.

Analysis

Bug confirmed: Both GET /api/v2/distributions/:item_id and POST .../retry had an access control bypass — when getItem() returned null (deleted item), the guard if (item && req.v2Auth?.app_id && ...) was skipped entirely, allowing getDispatchLog() to return dispatch data for deleted items without any authorization check.

Fix verified:

  • Adds explicit if (!item) return 404 before the access control check in both endpoints
  • Pattern is consistent with existing null handling (e.g., handleGetItem at line 593)
  • Access control logic for existing items is preserved — the app_id ownership check still runs correctly after the null guard
  • getItem() returns null for non-existent IDs (confirmed in db.js)

Dimensions checked:

  • ✅ Correctness: Logic is sound, both endpoints patched symmetrically
  • ✅ Security: Data leak closed — deleted items now return 404 before any data retrieval
  • ✅ Types & contracts: Response shapes unchanged for valid requests
  • ✅ Edge cases: Null/deleted item handled; valid items with wrong app_id still get 403
  • ✅ Integration: No callers broken — this is a stricter guard, not a behavior change for valid requests
  • ✅ Dead code: None introduced

PR #258 final status: 1 review round, R1 CLEAN.

@jessie-coco jessie-coco mentioned this pull request Mar 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jessie-coco jessie-coco jessie-coco approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@boot-coco @jessie-coco