rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/app/Livewire/Team
History
Andras Bacsai 336fa0c714 fix: critical privilege escalation in team invitation system 
This commit addresses a critical security vulnerability where low-privileged
users (members) could invite high-privileged users (admins/owners) to teams,
allowing them to escalate their own privileges through password reset.

Root Causes Fixed:
1. TeamPolicy authorization checks were commented out, allowing all team
   members to manage invitations instead of just admins/owners
2. Missing role elevation checks in InviteLink component allowed members
   to invite users with higher privileges

Security Fixes:

1. app/Policies/TeamPolicy.php
   - Uncommented and enforced authorization checks for:
     * update() - Only admins/owners can update team settings
     * delete() - Only admins/owners can delete teams
     * manageMembers() - Only admins/owners can manage team members
     * viewAdmin() - Only admins/owners can view admin panel
     * manageInvitations() - Only admins/owners can manage invitations

2. app/Livewire/Team/InviteLink.php
   - Added explicit role elevation checks to prevent:
     * Members from inviting admins or owners
     * Admins from inviting owners (defense-in-depth)
   - Validates that inviter has sufficient privileges for target role

Test Coverage:

1. tests/Feature/TeamPolicyTest.php
   - 24 comprehensive tests covering all policy methods
   - Tests for owner, admin, member, and non-member access
   - Specific tests for the privilege escalation vulnerability

2. tests/Feature/TeamInvitationPrivilegeEscalationTest.php
   - 11 tests covering all role elevation scenarios
   - Tests member → admin/owner escalation (blocked)
   - Tests admin → owner escalation (blocked)
   - Tests valid invitation paths for each role

Impact:
- Prevents privilege escalation attacks
- Protects all Coolify instances from unauthorized access
- Enforces proper role hierarchy in team management

References:
- Identified by Aikido AI whitebox pentest service
- CVE: Pending assignment
- Severity: Critical

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-15 11:42:25 +02:00
..
Member feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 10:27:38 +02:00
Storage Fix styling 2024-06-10 20:43:34 +00:00
AdminView.php refactor(user): streamline user deletion process and enhance team management logic 2025-06-25 12:14:35 +02:00
Create.php fix: on team creation, redirect to the new team instantly 2025-10-07 20:45:04 +02:00
Index.php feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 10:27:38 +02:00
Invitations.php feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 10:27:38 +02:00
InviteLink.php fix: critical privilege escalation in team invitation system 2025-10-15 11:42:25 +02:00
Member.php feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 10:27:38 +02:00