Skip to content

[Bug]: IDOR - Unauthorized access to file ancestry metadata via file_id #14292

Open
Open
[Bug]: IDOR - Unauthorized access to file ancestry metadata via file_id#14292
Assignees
zpf121
Labels
🐞 bugSomething isn't working, pull request that fix bug.
@bohdansolovie

Description

@bohdansolovie
bohdansolovie
opened on Apr 22, 2026

Self Checks

  • I have searched for existing issues search for existing issues, including closed ones.
  • I confirm that I am using English to submit this report (Language Policy).
  • Non-english title submitions will be closed directly ( 非英文标题的提交将会被直接关闭 ) (Language Policy).
  • Please do not modify this template :) and fill in all the required fields.

RAGFlow workspace code commit ID

74b44e1

RAGFlow image version

nightly

Other environment information

Hardware parameters: Core i7 8700
OS type: Linux (kernel 6.8.0-100-generic)
Others:
- Component: Go backend file APIs
- Affected endpoints:
  - GET /v1/file/parent_folder?file_id=...
  - GET /v1/file/all_parent_folder?file_id=...
  - GET /api/v1/files/{id}/ancestors

Actual behavior

Any authenticated user can retrieve parent/ancestor folder metadata for arbitrary file_id values (including files from other tenants).
These endpoints authenticate the caller, but do not enforce file-level authorization before returning metadata.

Expected behavior

The API should verify that the caller has access to the target file (owner/team permission) before returning parent/ancestor metadata.
If not authorized, return a permission error (e.g., 403 / No authorization).

Steps to reproduce

1. Sign in as user A.
2. Use a file_id that belongs to user B (another tenant/user).
3. Send one of the following requests:
 - GET /v1/file/parent_folder?file_id=<user_b_file_id>
 - GET /v1/file/all_parent_folder?file_id=<user_b_file_id>
 - GET /api/v1/files/<user_b_file_id>/ancestors
4. Observe the API returns folder ancestry metadata instead of denying access.

Additional information

Root cause appears to be missing authorization checks in ancestry lookup path:

  • In internal/handler/file.go, handlers call service methods after auth but without passing/validating ownership for target file:
    • GetParentFolder
    • GetAllParentFolders
    • GetFileAncestors
  • In internal/service/file.go, methods only verify existence and then fetch hierarchy:
    • GetParentFolder(fileID string)
    • GetAllParentFolders(fileID string)
      By contrast, GetFileContent(uid, fileID) correctly checks authorization via checkFileTeamPermission(...).
      Security impact: cross-tenant metadata disclosure and file hierarchy/resource enumeration (IDOR).

Metadata

Metadata

Assignees

Labels

🐞 bugSomething isn't working, pull request that fix bug.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions