Goploy Cross-Namespace IDOR and RCE via Unvalidated Project ID in API Handlers
Goploy fails to validate namespace ownership when accepting project IDs from JSON request bodies, allowing authenticated users to read/write/delete files across namespaces and rewrite git remotes—escalating to RCE on deployment.
CVE References
Affected
Vulnerability Description
Goploy's Project.AddFile(), Project.EditFile(), Project.RemoveFile(), and Project.Edit() handlers accept a projectId parameter directly from the JSON request body without verifying that the target project belongs to the authenticated user's namespace. The underlying model queries (Project.GetData(), ProjectFile.GetData()) filter only by row ID—not by namespace—creating a horizontal privilege escalation (IDOR) that crosses namespace boundaries. Users holding the manager role (or any role with FileSync/EditProject permissions) in their own namespace can exploit this to access any project on the install.
Root Cause & Impact
The vulnerability stems from insufficient access control during object lookup. By design, Goploy uses namespaces to isolate multi-tenant deployments; however, the handlers bypass namespace validation entirely by trusting the client-supplied row ID. An attacker can enumerate or guess project IDs and manipulate file content or project metadata. Most critically, the Edit handler allows rewriting the git remote URL, which is executed via git remote set-url during the next deployment. This converts a file-write primitive into arbitrary command execution because git remote URLs can encode shell metacharacters or invoke local handlers.
Detection Guidance
Log Indicators:
- API requests to
/api/project/add-file,/api/project/edit-file,/api/project/remove-file,/api/project/editwhere theprojectIdin the JSON body does not match the authenticated user's namespace (correlate with user audit logs). - Requests from low-privilege or newly-created accounts accessing
projectIdvalues that differ significantly in numeric range from their own projects. - File modification events (
EditFile,RemoveFile) on projects not owned by the requesting user. - Git remote URL changes to unusual targets (non-standard git hosts, file:// URIs, or shell-encoded URLs).
Monitoring:
- Alert on
Project.Editcalls that modifygit_urlfield. - Track API calls from users with
FileSyncorEditProjectpermissions accessing out-of-namespace project IDs. - Monitor deployment logs for git operations on unexpectedly-modified remotes.
Mitigation Steps
- Immediate patch: Apply namespace validation to all four handlers before querying the model. Verify that
Project.namespace_id == user.namespace_idafter retrieval, or add anamespace_idpredicate to allGetData()queries. - Code hardening: Refactor
Project.GetData(id)toProject.GetData(id, namespaceId)to enforce namespace isolation at the data layer. - Access control review: Audit role definitions; verify that
FileSyncandEditProjectpermissions are scoped to the user's namespace. - Git remote validation: Implement a whitelist or syntax validation for git remote URLs to block shell injection and unexpected protocols.
- Audit existing deployments: Query deployment logs for anomalous
git remote set-urlcommands; correlate with user access logs to identify prior exploitation.
Risk Assessment
Likelihood of exploitation: High. The vulnerability requires only a manager role in any namespace; no special network access or credentials are needed. Project IDs are likely sequential or discoverable, making enumeration trivial. The RCE escalation via git remote rewrite is deterministic and reliable on next deployment.
Threat actor interest: Critical infrastructure and SaaS platforms using Goploy are high-value targets. This vulnerability enables lateral movement across namespaces and potential supply-chain attacks if Goploy is used in CI/CD workflows. Mass exploitation is plausible given the low barrier to entry (valid credentials in any namespace).
Sources