Summary
policyengine-api exposes unauthenticated user-profile and user-policy routes with caller-controlled identifiers.
Severity
High
Impact
Any client can create, read, or mutate another user’s profile and saved policies by supplying arbitrary auth0_id or user_id values.
Affected code
policyengine_api/routes/user_profile_routes.py:12-135policyengine_api/endpoints/policy.py:81-359policyengine_api/api.py:100-101,148-154
Details
The affected routes have no auth or ownership checks and are mounted with app-wide CORS enabled.
Expected behavior
User-scoped routes should require authenticated callers and enforce ownership based on the authenticated principal, not caller-supplied IDs.
Suggested remediation
- Add auth middleware/decorators to user-scoped routes
- Derive subject/ownership from the validated token
- Reject caller-supplied foreign
auth0_id/user_id combinations
- Add authorization tests for cross-user access attempts
Summary
policyengine-apiexposes unauthenticated user-profile and user-policy routes with caller-controlled identifiers.Severity
High
Impact
Any client can create, read, or mutate another user’s profile and saved policies by supplying arbitrary
auth0_idoruser_idvalues.Affected code
policyengine_api/routes/user_profile_routes.py:12-135policyengine_api/endpoints/policy.py:81-359policyengine_api/api.py:100-101,148-154Details
The affected routes have no auth or ownership checks and are mounted with app-wide CORS enabled.
Expected behavior
User-scoped routes should require authenticated callers and enforce ownership based on the authenticated principal, not caller-supplied IDs.
Suggested remediation
auth0_id/user_idcombinations