fix(security): enforce workspace access on GetIssueGCCheck (#1121)

The daemon GC check endpoint did not verify the caller's access to the issue's workspace, letting a daemon token or PAT scoped to workspace A read issue status/updated_at for any issue UUID across the instance. Mirror the pattern used by every other handler in daemon.go: look up the issue's workspace and gate on requireDaemonWorkspaceAccess. Closes #1112 Co-authored-by: shaun0927 <shaun0927@users.noreply.github.com>
2026-06-17 11:48:42 +02:00 · 2026-04-16 14:43:17 +09:00
parent fe358feff0
commit 93cf95f799
1 changed files with 5 additions and 0 deletions
--- a/server/internal/handler/daemon.go
+++ b/server/internal/handler/daemon.go
@@ -1033,6 +1033,8 @@ func (h *Handler) GetIssueUsage(w http.ResponseWriter, r *http.Request) {
 }

 // GetIssueGCCheck returns minimal issue info needed by the daemon GC loop.
+// Gated on workspace access so a daemon token scoped to workspace A cannot
+// read issue metadata from workspace B via UUID enumeration.
 func (h *Handler) GetIssueGCCheck(w http.ResponseWriter, r *http.Request) {
 	issueID := chi.URLParam(r, "issueId")
 	issue, err := h.Queries.GetIssue(r.Context(), parseUUID(issueID))
@@ -1040,6 +1042,9 @@ func (h *Handler) GetIssueGCCheck(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusNotFound, "issue not found")
 		return
 	}
+	if !h.requireDaemonWorkspaceAccess(w, r, uuidToString(issue.WorkspaceID)) {
+		return
+	}
 	writeJSON(w, http.StatusOK, map[string]any{
 		"status":     issue.Status,
 		"updated_at": issue.UpdatedAt.Time,