lighthousekeeper1212 opened a new issue, #1506:
URL: https://github.com/apache/answer/issues/1506
## Summary
Two information disclosure issues allow access to deleted/pending content:
### 1. Deleted Answer Content via GET /answer/api/v1/answer/info (Low-Medium)
\`AnswerService.Get()\` calls \`answerRepo.GetByID()\` which fetches answers
by raw ID with no \`status != deleted\` filter. Deleted answers are returned
with full content to unauthenticated callers.
**Secure comparison:** \`SearchList\` correctly filters:
\`session.Where("status != ?", entity.AnswerStatusDeleted)\`
### 2. Revision History IDOR via GET /answer/api/v1/activity/timeline/detail
(Medium)
\`GetObjectTimelineDetail\` fetches revision content by sequential integer
ID (\`autoincr BIGINT\`). No check for whether the associated question/answer
is deleted or pending. Any authenticated user can enumerate
\`revision_id=1,2,3...\` to read full content of deleted/pending questions and
answers.
**Secure comparison:** \`GetRevisionList\` correctly checks
\`objInfo.IsDeleted()\` before showing history. \`GetQuestion\` blocks access
to deleted/pending content.
### Impact
- Bypasses content moderation (admin-deleted content remains accessible)
- Reveals pending-review content before publication
- Sequential revision IDs make enumeration trivial
## Discovery
Found through automated security research comparing content visibility
controls across endpoints.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
