Skip to content

Fix REST endpoint /set not enforcing queryModifier on existing documents#404

Closed
pubkey wants to merge 2 commits intomasterfrom
claude/fix-query-modifier-bug-orRFW
Closed

Fix REST endpoint /set not enforcing queryModifier on existing documents#404
pubkey wants to merge 2 commits intomasterfrom
claude/fix-query-modifier-bug-orRFW

Conversation

@pubkey
Copy link
Copy Markdown
Owner

@pubkey pubkey commented Apr 14, 2026

This PR contains:

  • A BUGFIX
  • IMPROVED TESTS
  • IMPROVED DOCS

Describe the problem you have without this PR

The REST endpoint /set handler only validated that the new document state matched the queryModifier, but did not validate that the existing document being updated was visible to the authenticated user under the same queryModifier. This allowed an authenticated user to overwrite documents owned by other users if they knew the primary key, bypassing access control.

For example, a user authenticated as 'alice' could overwrite a document owned by 'bob' by sending a /set request with the correct primary key and a new document state that passes the queryModifier check.

Changes

Source Code

  • src/plugins/server/endpoint-rest.ts: Added validation in the /set handler to check that the existing document matches the queryModifier before allowing an update. The handler now:
    1. Checks if the existing document is visible to the authenticated user (passes docDataMatcherWrite)
    2. Returns 403 Forbidden if the existing document doesn't match the queryModifier
    3. Prevents unauthorized overwrites of documents owned by other users

Tests

  • test/unit/endpoint-rest.test.ts: Added test case should not allow overwriting an existing document that does not match the queryModifier to verify that attempting to overwrite a document owned by another user is rejected with a 403 error
  • test/unit/performance.test.ts: Added new performance benchmark tests for the /query and /set endpoints with queryModifier to track performance of the hot paths

Documentation

  • CHANGELOG.md: Documented the security fix

Test Plan

The fix is covered by:

  1. New unit test that verifies a user cannot overwrite another user's document
  2. Existing tests continue to pass, ensuring no regression in normal update operations
  3. Performance tests added to track any performance impact of the additional validation

@pubkey

https://claude.ai/code/session_013rJpm4ZQGCbXdacEAkkVta

@claude
fix(server): enforce queryModifier on existing doc in REST /set
4e68c60 
The /set REST endpoint only validated the client-provided new document
state against the queryModifier. An authenticated user that knew a
primary key of a document owned by another user could overwrite it by
sending a new state that matched their own queryModifier restriction.

Apply the same docDataMatcherWrite check to the current server-side
document, consistent with the behavior of /delete.

Also add a performance test suite for the queryModifier hot paths so
future regressions are easier to spot.
@pubkey
Copy link
Copy Markdown
Owner Author

pubkey commented Apr 15, 2026

@copilot do not add performance tests in this pr

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 15, 2026

@copilot do not add performance tests in this pr

Done in ecc723b — I removed the performance test file and its import from this PR. No UI changes were made, so there is no screenshot.

@pubkey pubkey closed this Apr 15, 2026
Copilot stopped work on behalf of pubkey due to an error April 15, 2026 07:42
Job was cancelled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pubkey @claude