fix(security): ensure that only the owner can append chunks onto uploaded files #11

Merged

Mitchell merged 2 commits from feat/9-add-admin-announcement-alert into develop 2026-02-27 16:12:23 +10:30

Conversation 1 Commits 2 Files changed 10 +123 -30

Mitchell commented 2026-02-27 16:12:14 +10:30

Owner

Copy link

Accidentally pushed to the wrong branch.

This pull request fixes an issue where any authenticated user can append chunks onto other users files.

Accidentally pushed to the wrong branch. This pull request fixes an issue where any authenticated user can append chunks onto other users files.

Mitchell added the

Priority

Critical

Kind

Security

labels 2026-02-27 16:12:14 +10:30

Mitchell self-assigned this 2026-02-27 16:12:14 +10:30

Mitchell added 2 commits 2026-02-27 16:12:14 +10:30

fix(security): ensure that only the owner can append chunks onto uploaded files c247e49e15

Merge remote-tracking branch 'origin/develop' into develop 280964ad16

Mitchell merged commit 8488bda119 into develop 2026-02-27 16:12:23 +10:30

Mitchell deleted branch feat/9-add-admin-announcement-alert 2026-02-27 16:12:23 +10:30

Mitchell referenced this pull request from a commit 2026-02-27 16:12:25 +10:30

Merge pull request 'fix(security): ensure that only the owner can append chunks onto uploaded files' (#11) from feat/9-add-admin-announcement-alert into develop

Mitchell commented 2026-02-27 16:17:40 +10:30

Author

Owner

Copy link

FYI, the scope of this probably wouldn't have been that bad. It would require a malicious actor to know the upload ID and it would be a very timed attack since files cannot be changed after finalized.

FYI, the scope of this probably wouldn't have been that bad. It would require a malicious actor to know the upload ID and it would be a very timed attack since files cannot be changed after finalized.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

Compat

Breaking

Breaking change that won't be backward compatible

  

Kind

Bug

Something is not working

  

Kind

Documentation

Documentation changes

  

Kind

Enhancement

Improve existing functionality

  

Kind

Feature

New functionality

  

Kind

Security

This is security issue

  

Kind

Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

No labels

Compat

Breaking

Kind

Bug

Kind

Documentation

Kind

Enhancement

Kind

Feature

Kind

Security

Kind

Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Status

Abandoned

Status

Blocked

Status

Need More Info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

Mitchell

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

Mitchell/kite!11

No description provided.