Intelligence
criticalVulnerabilityActive

Goploy Cross-Namespace IDOR and RCE via Unvalidated Project ID in API Handlers

Goploy fails to validate namespace ownership when accepting project IDs from JSON request bodies, allowing authenticated users to read/write/delete files across namespaces and rewrite git remotes—escalating to RCE on deployment.

S
Sebastion

CVE References

Affected

zhenorzz/goploy@1.17.5

Vulnerability Description

Goploy's Project.AddFile(), Project.EditFile(), Project.RemoveFile(), and Project.Edit() handlers accept a projectId parameter directly from the JSON request body without verifying that the target project belongs to the authenticated user's namespace. The underlying model queries (Project.GetData(), ProjectFile.GetData()) filter only by row ID—not by namespace—creating a horizontal privilege escalation (IDOR) that crosses namespace boundaries. Users holding the manager role (or any role with FileSync/EditProject permissions) in their own namespace can exploit this to access any project on the install.

Root Cause & Impact

The vulnerability stems from insufficient access control during object lookup. By design, Goploy uses namespaces to isolate multi-tenant deployments; however, the handlers bypass namespace validation entirely by trusting the client-supplied row ID. An attacker can enumerate or guess project IDs and manipulate file content or project metadata. Most critically, the Edit handler allows rewriting the git remote URL, which is executed via git remote set-url during the next deployment. This converts a file-write primitive into arbitrary command execution because git remote URLs can encode shell metacharacters or invoke local handlers.

Detection Guidance

Log Indicators:

  • API requests to /api/project/add-file, /api/project/edit-file, /api/project/remove-file, /api/project/edit where the projectId in the JSON body does not match the authenticated user's namespace (correlate with user audit logs).
  • Requests from low-privilege or newly-created accounts accessing projectId values that differ significantly in numeric range from their own projects.
  • File modification events (EditFile, RemoveFile) on projects not owned by the requesting user.
  • Git remote URL changes to unusual targets (non-standard git hosts, file:// URIs, or shell-encoded URLs).

Monitoring:

  • Alert on Project.Edit calls that modify git_url field.
  • Track API calls from users with FileSync or EditProject permissions accessing out-of-namespace project IDs.
  • Monitor deployment logs for git operations on unexpectedly-modified remotes.

Mitigation Steps

  1. Immediate patch: Apply namespace validation to all four handlers before querying the model. Verify that Project.namespace_id == user.namespace_id after retrieval, or add a namespace_id predicate to all GetData() queries.
  2. Code hardening: Refactor Project.GetData(id) to Project.GetData(id, namespaceId) to enforce namespace isolation at the data layer.
  3. Access control review: Audit role definitions; verify that FileSync and EditProject permissions are scoped to the user's namespace.
  4. Git remote validation: Implement a whitelist or syntax validation for git remote URLs to block shell injection and unexpected protocols.
  5. Audit existing deployments: Query deployment logs for anomalous git remote set-url commands; correlate with user access logs to identify prior exploitation.

Risk Assessment

Likelihood of exploitation: High. The vulnerability requires only a manager role in any namespace; no special network access or credentials are needed. Project IDs are likely sequential or discoverable, making enumeration trivial. The RCE escalation via git remote rewrite is deterministic and reliable on next deployment.

Threat actor interest: Critical infrastructure and SaaS platforms using Goploy are high-value targets. This vulnerability enables lateral movement across namespaces and potential supply-chain attacks if Goploy is used in CI/CD workflows. Mass exploitation is plausible given the low barrier to entry (valid credentials in any namespace).