Skip to content

fix: return 404 instead of 403 for unauthorized annotation access to prevent resource enumeration#2595

Open
tmdeveloper007 wants to merge 2 commits into
nisshchayarathi:mainfrom
tmdeveloper007:#276-403-to-404
Open

fix: return 404 instead of 403 for unauthorized annotation access to prevent resource enumeration#2595
tmdeveloper007 wants to merge 2 commits into
nisshchayarathi:mainfrom
tmdeveloper007:#276-403-to-404

Conversation

@tmdeveloper007

Copy link
Copy Markdown
Contributor

Summary

The annotation API routes were returning 403 Forbidden when a user tried to access annotations belonging to a different user. This inadvertently confirmed the existence of those resources, enabling enumeration attacks.

Security Fix

Changed the unauthorized access response from 403 Forbidden to 404 Not Found in:

  • app/api/annotations/[id]/route.ts (PATCH and DELETE handlers)
  • app/api/annotations/route.ts (GET handler)

This prevents an attacker from determining whether a resource ID is valid by observing different HTTP status codes.

Changes

  • app/api/annotations/[id]/route.ts: Return NextResponse.json({error: 'Not found'}, {status: 404}) instead of 403
  • app/api/annotations/route.ts: Return 404 instead of 403 for unauthorized repository access

Related Issue

Fixes #276

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the Nisshchaya's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added the GSSoC'26 Part of GirlScript Summer of Code 2026 label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🎉 Thanks for your contribution, @tmdeveloper007!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check Status
PR description ✅ Provided
PR title ✅ Meaningful
Linked issue ✅ Found
Change size ✅ Looks good (125 lines across 9 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@tmdeveloper007, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 11 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: cc20fad8-edf5-4d2b-8698-be03cd5a2a24

📥 Commits

Reviewing files that changed from the base of the PR and between 07ceab7 and a0ad604.

📒 Files selected for processing (12)
  • app/api/ai/analyze-repository/route.ts
  • app/api/ai/chat/route.ts
  • app/api/ai/compare/route.ts
  • app/api/annotations/[id]/route.ts
  • app/api/annotations/route.ts
  • app/api/integrations/github/import/route.ts
  • lib/services/bitbucketService.ts
  • lib/services/githubService.ts
  • lib/services/gitlabService.ts
  • src/components/repository/ContributorIssueRecommendations.tsx
  • src/components/repository/RepositoryInsights.tsx
  • src/components/visualizations/CodeDependencyGraph.tsx
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Mavis Agent added 2 commits July 6, 2026 19:32
Cherry-picked from upstream fix branch:
- lib/services/bitbucketService.ts: String() wrapping
- lib/services/gitlabService.ts: String() wrapping
- src/components/repository/ContributorIssueRecommendations.tsx: stub
- src/components/repository/RepositoryInsights.tsx: remove invalid repository prop
- src/components/visualizations/CodeDependencyGraph.tsx: remove graphData from dependency array
…dpoints, 403-to-404 in annotations, and clear permission errors
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🎉 Thanks for your contribution, @tmdeveloper007!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check Status
PR description ✅ Provided
PR title ✅ Meaningful
Linked issue ✅ Found
Change size ✅ Looks good (124 lines across 12 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

GSSoC'26 Part of GirlScript Summer of Code 2026

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: Enforce consistent 404 for cross-user repository access

1 participant