@api.route("/sources/<source_uuid>/submissions/<submission_uuid>/download", methods=["GET"])
def download_submission(source_uuid: str, submission_uuid: str) -> flask.Response:
get_or_404(Source, source_uuid, column=Source.uuid)
submission = get_or_404(Submission, submission_uuid, column=Submission.uuid)
return utils.serve_file_with_etag(submission)
@api.route("/sources/<source_uuid>/replies/<reply_uuid>/download", methods=["GET"])
def download_reply(source_uuid: str, reply_uuid: str) -> flask.Response:
get_or_404(Source, source_uuid, column=Source.uuid)
reply = get_or_404(Reply, reply_uuid, column=Reply.uuid)
return utils.serve_file_with_etag(reply)There's no validation that the source UUID corresponds to the submission/reply UUID. This is theoretically an IDOR except there's no security impact since any journalist can see any submission/reply.
This was originally reported by Saamin via BugCrowd.
Mostly filing so this is recorded somewhere but it's unlikely to be fixed.
There's no validation that the source UUID corresponds to the submission/reply UUID. This is theoretically an IDOR except there's no security impact since any journalist can see any submission/reply.
This was originally reported by Saamin via BugCrowd.
Mostly filing so this is recorded somewhere but it's unlikely to be fixed.