Marc Schäfer 51629247a5 fix(middleware): prevent cross-org site binding in target create/update ...

Extend verifySiteAccess to check that when req.userOrgId is already set
by a prior middleware (e.g. verifyResourceAccess/verifyTargetAccess), the
site from req.body.siteId belongs to the same organization. This prevents
the cross-organization tunnel boundary bypass where an attacker with
resource access in one org binds that resource's target to a site in
another org.

Add verifySiteAccess to both target route stacks:
- PUT /resource/:resourceId/target (after verifyResourceAccess)
- POST /target/:targetId (after verifyTargetAccess)

The org-match check runs before req.userOrg is overwritten, so the
resource's organization context is preserved for comparison.

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>

2026-05-29 22:44:16 +00:00

..

auth

Merge branch 'resource-policies' into dev

2026-05-28 15:30:16 -07:00

db

Update postgres schema

2026-05-28 20:20:34 -07:00

emails

Adjust language

2026-05-01 10:48:09 -07:00

lib

Auto-create roles referenced in blueprints

2026-05-28 21:14:14 -07:00

license

…

middlewares

fix(middleware): prevent cross-org site binding in target create/update

2026-05-29 22:44:16 +00:00

private

Merge branch 'main' into dev

2026-05-28 17:46:42 -07:00

routers

fix(middleware): prevent cross-org site binding in target create/update

2026-05-29 22:44:16 +00:00

setup

Unstage ignored files

2026-05-28 20:27:25 -07:00

types

first pass

2026-02-24 17:58:11 -08:00

apiServer.ts

change logging

2026-04-21 20:51:59 -07:00

cleanup.ts

fix: revert investigative changes, keep root cause fixes only

2026-05-02 16:33:13 -04:00

extendZod.ts

…

index.ts

Merge pull request #3085 from marcschaeferger-org/security-updates

2026-05-28 11:54:23 -07:00

integrationApiServer.ts

openapi and swagger ui improvements and cleanup

2026-03-02 21:59:41 -08:00

internalServer.ts

fix: revert investigative changes, keep root cause fixes only

2026-05-02 16:33:13 -04:00

logger.ts

…

nextServer.ts

Merge branch 'dev' of github.com:fosrl/pangolin into dev

2026-04-21 21:20:24 -07:00

openApi.ts

Merge branch 'dev' into feat/resource-policies

2026-03-04 16:46:33 +01:00