Security: Cross-Team Folder IDOR in folder management endpoints #2078
Description
Summary
Multiple folder management endpoints in the pages/api/teams/[teamId]/folders/manage/ path fetch folders by ID without verifying team ownership (teamId), allowing any authenticated user to access, modify, or delete folders belonging to other teams.
Vulnerability Class
CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
Affected Endpoints
4 endpoints query prisma.folder.findUnique({ where: { id: folderId } }) without teamId:
- Folder Delete (
folders/manage/[folderId]/index.ts:53-55) - Folder Rename/Update (
folders/manage/index.ts:70-73) - Add Folder to Dataroom (
folders/manage/[folderId]/add-to-dataroom.ts:21-22) - Create Dataroom from Folder (
datarooms/create-from-folder.ts:22-24)
Correctly Scoped Endpoints (for contrast)
Adjacent endpoints correctly include teamId in the WHERE clause:
folders/move.ts:113—{ id: folderId, teamId }✓documents/move.ts:58—{ id: folderId, teamId: teamId }✓webhooks/services/.../index.ts:511—{ id: folderId, teamId: teamId }✓
Recommended Fix
Add teamId to all four folder lookups:
const folder = await prisma.folder.findUnique({
where: {
id: folderId,
teamId: teamId, // ADD THIS
},
});Impact
An authenticated user who is a member of any team can:
- Delete folders and all documents from other teams (permanent data loss)
- Rename folders belonging to other teams
- Clone other teams' folder contents into their own datarooms (data exfiltration)
Notes
- The SECURITY.md recommends emailing security@papermark.com. I've filed this issue because GitHub Private Vulnerability Reporting is not enabled on this repository.
- I recommend enabling GitHub Private Vulnerability Reporting for future disclosures.
- This issue describes the vulnerability class and fix without providing exploit code.
Discovered by Lighthouse Security Research.