Skip to content

Fix REST /set endpoint allowing overwrites of unowned documents#396

Merged
pubkey merged 2 commits intomasterfrom
claude/debug-rest-endpoint-1jx2Y
Apr 15, 2026
Merged

Fix REST /set endpoint allowing overwrites of unowned documents#396
pubkey merged 2 commits intomasterfrom
claude/debug-rest-endpoint-1jx2Y

Conversation

@pubkey
Copy link
Copy Markdown
Owner

@pubkey pubkey commented Apr 14, 2026

This PR contains:

  • A BUGFIX
  • IMPROVED TESTS

Describe the problem you have without this PR

The REST /set endpoint had a security vulnerability where a client could overwrite documents they do not own. When a queryModifier was configured, the handler only validated that the client-provided (new) document state matched the modifier, but never checked whether the client was allowed to access the existing document being overwritten. This allowed a malicious client to take over arbitrary documents by crafting a write request whose new state passes the queryModifier while targeting a foreign document's primary key.

Changes

Source Code

  • src/plugins/server/endpoint-rest.ts: Added validation in the document update path to ensure the client is allowed to access the existing document before permitting an overwrite. The check uses docDataMatcherWrite (the same validator used for new documents) against the existing document's state to verify the client has permission to modify it.

Tests

  • test/unit/endpoint-rest.test.ts: Added a comprehensive test case 'should not allow overwriting a document the user does not own' that verifies:
    • A document owned by one user (bob) cannot be overwritten by another user (alice)
    • The server rejects the overwrite attempt with a 403 Forbidden response
    • The original document remains intact after the failed attempt

Performance Benchmarking

  • test/unit/perf-rest-set.ts: Added a micro-benchmark to measure the performance impact of bulk /set requests on the modified code path. This ensures the security fix does not introduce significant performance regressions.

Documentation

  • CHANGELOG.md: Updated with a note about the security fix.

Test Plan

The new test case in endpoint-rest.test.ts directly validates the fix by attempting an unauthorized document overwrite and verifying it is rejected. The benchmark in perf-rest-set.ts can be run to confirm no significant performance degradation was introduced.

https://claude.ai/code/session_0187ohuAF69hYL4vrJwpUCEH

claude and others added 2 commits April 14, 2026 13:30
@claude
fix: reject REST /set overwrites of docs the user does not own
bf97c30 
The REST /set endpoint only validated the client-provided (new) document
state against the configured queryModifier. It never checked the
existing server document, so an authenticated user could take over a
foreign document by sending a write whose new state matched the modifier
while targeting another user's primary key. The handler now also runs
the query matcher against the existing server document and rejects the
request with 403 Forbidden if it does not match, aligning the behavior
with the replication /push endpoint.
@pubkey
Merge branch 'master' into claude/debug-rest-endpoint-1jx2Y
edeb761
@pubkey pubkey merged commit eb1d491 into master Apr 15, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pubkey @claude