From 9ecb6eae46c5ceb1a083ad9a03cf0676ad2d09ed Mon Sep 17 00:00:00 2001 From: Ashutosh0x Date: Wed, 3 Jun 2026 10:20:04 +0530 Subject: [PATCH] fix: validate issue ID against testcase before update The /testcase-detail/update-issue endpoint authorizes access to the testcase but then performs issue-tracker writes using a request-supplied issueId without verifying it matches the testcase's currently linked issue. This allows a user with access to one testcase to trigger updates (comments, labels, title changes, rebinding) on an unrelated issue. Add a check that the supplied issueId matches the testcase's existing bug_information field before proceeding with the update. If the testcase has no linked issue yet (first-time linking), the check is skipped to preserve existing functionality. Fixes #5262 --- .../handlers/testcase_detail/update_issue.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/appengine/handlers/testcase_detail/update_issue.py b/src/appengine/handlers/testcase_detail/update_issue.py index ac003a7c441..090ed1ba848 100644 --- a/src/appengine/handlers/testcase_detail/update_issue.py +++ b/src/appengine/handlers/testcase_detail/update_issue.py @@ -32,6 +32,17 @@ def update_issue(testcase, issue_id, needs_summary_update): """Associate (or update) an existing issue with the testcase.""" issue_id = helpers.cast(issue_id, int, 'Issue ID (%s) is not a number!' % issue_id) + + # Verify that the supplied issue ID matches the testcase's currently linked + # issue. Without this check, a user authorized for one testcase could use + # that authorization to trigger issue-tracker writes on an arbitrary issue. + existing_issue_id = testcase.bug_information + if existing_issue_id and str(existing_issue_id) != str(issue_id): + raise helpers.EarlyExitError( + 'The supplied issue ID (%d) does not match the issue currently ' + 'linked to this testcase (%s). You cannot update an unrelated ' + 'issue through this endpoint.' % (issue_id, existing_issue_id), 403) + issue_tracker = helpers.get_issue_tracker_for_testcase(testcase) issue = helpers.get_or_exit(lambda: issue_tracker.get_issue(issue_id),