Mirrors/coolify
1
0
Fork 0
mirror of https://github.com/coollabsio/coolify.git synced 2025-12-28 13:41:51 +00:00
Code Issues Actions 11 Packages Projects Releases Wiki Activity
336fa0c714
coolify/app/Livewire
History
Andras Bacsai 336fa0c714 fix: critical privilege escalation in team invitation system 
This commit addresses a critical security vulnerability where low-privileged
users (members) could invite high-privileged users (admins/owners) to teams,
allowing them to escalate their own privileges through password reset.

Root Causes Fixed:
1. TeamPolicy authorization checks were commented out, allowing all team
   members to manage invitations instead of just admins/owners
2. Missing role elevation checks in InviteLink component allowed members
   to invite users with higher privileges

Security Fixes:

1. app/Policies/TeamPolicy.php
   - Uncommented and enforced authorization checks for:
     * update() - Only admins/owners can update team settings
     * delete() - Only admins/owners can delete teams
     * manageMembers() - Only admins/owners can manage team members
     * viewAdmin() - Only admins/owners can view admin panel
     * manageInvitations() - Only admins/owners can manage invitations

2. app/Livewire/Team/InviteLink.php
   - Added explicit role elevation checks to prevent:
     * Members from inviting admins or owners
     * Admins from inviting owners (defense-in-depth)
   - Validates that inviter has sufficient privileges for target role

Test Coverage:

1. tests/Feature/TeamPolicyTest.php
   - 24 comprehensive tests covering all policy methods
   - Tests for owner, admin, member, and non-member access
   - Specific tests for the privilege escalation vulnerability

2. tests/Feature/TeamInvitationPrivilegeEscalationTest.php
   - 11 tests covering all role elevation scenarios
   - Tests member → admin/owner escalation (blocked)
   - Tests admin → owner escalation (blocked)
   - Tests valid invitation paths for each role

Impact:
- Prevents privilege escalation attacks
- Protects all Coolify instances from unauthorized access
- Enforces proper role hierarchy in team management

References:
- Identified by Aikido AI whitebox pentest service
- CVE: Pending assignment
- Severity: Critical

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-15 11:42:25 +02:00
..
Admin Revert "rector: arrrrr" 2025-01-07 15:31:43 +01:00
Boarding fix(onboarding): auto-select first SSH key for better UX 2025-10-12 18:54:12 +02:00
Destination feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 10:27:38 +02:00
Notifications feat: implement actual webhook delivery with Ray debugging 2025-10-10 18:07:04 +02:00
Profile fix(user): ensure email attributes are stored in lowercase for consistency and prevent case-related issues 2025-09-05 17:44:34 +02:00
Project Merge pull request #6879 from coollabsio/fix-docker-image-digest-cleanup 2025-10-15 10:49:30 +02:00
Security feat: add YAML validation for cloud-init scripts 2025-10-11 13:56:55 +02:00
Server simplify the getCpuVendorInfo method 2025-10-13 22:41:13 +02:00
Settings refactor(dns-validation): rename DNS validation functions for consistency and clarity, and remove unused code 2025-09-09 09:00:35 +02:00
SharedVariables feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 10:27:38 +02:00
Source/Github feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 10:27:38 +02:00
Storage feat(storage): implement transaction handling in storage settings submission 2025-10-07 15:08:22 +02:00
Subscription feat(changelog): implement automated changelog fetching from GitHub and enhance changelog read tracking 2025-08-12 10:07:11 +02:00
Tags Revert "rector: arrrrr" 2025-01-07 15:31:43 +01:00
Team fix: critical privilege escalation in team invitation system 2025-10-15 11:42:25 +02:00
Terminal feat: replace terminal dropdown with searchable datalist component 2025-10-12 14:57:45 +02:00
ActivityMonitor.php refactor(proxy): streamline proxy status handling and improve dashboard availability checks 2025-06-11 12:02:39 +02:00
Dashboard.php ui(core): update projects property type and enhance UI styling 2025-10-01 08:23:35 +02:00
DeploymentsIndicator.php refactor(deployment): enhance deployment data retrieval and relationships 2025-10-04 18:02:20 +02:00
ForcePasswordReset.php Revert "rector: arrrrr" 2025-01-07 15:31:43 +01:00
GlobalSearch.php fix: 'new image' quick action not progressing to resource selection 2025-10-15 10:49:07 +02:00
Help.php fix(feedback): update feedback email address to improve communication with users 2025-09-11 20:23:07 +02:00
LayoutPopups.php
MonacoEditor.php feat(core): You can validate compose files with docker compose config 2025-02-27 11:29:04 +01:00
NavbarDeleteTeam.php Revert "rector: arrrrr" 2025-01-07 15:31:43 +01:00
SettingsBackup.php fix validation on a few views 2025-10-06 21:25:24 +02:00
SettingsDropdown.php feat(ui): display current version in settings dropdown and update UI accordingly 2025-09-01 16:23:14 +02:00
SettingsEmail.php fix(email-notifications): change notify method to notifyNow for immediate test email delivery 2025-06-04 17:10:06 +02:00
SettingsOauth.php Revert "rector: arrrrr" 2025-01-07 15:31:43 +01:00
SwitchTeam.php fix(ui): always redirect to dashboard after team switch 2025-02-03 21:38:40 +01:00
Upgrade.php Revert "rector: arrrrr" 2025-01-07 15:31:43 +01:00
VerifyEmail.php Revert "rector: arrrrr" 2025-01-07 15:31:43 +01:00