ACL Issue: Unauthenticated Unsubscribe via PurchasesController#unsubscribe #11
Description
File: app/controllers/purchases_controller.rb
Action: unsubscribe
Lines: 56-59
Description:
The unsubscribe action is defined as a PUBLIC_ACTION (line 22), bypassing authentication (authenticate_user!) and authorization checks (verify_authorized). It fetches a Purchase object using Purchase.find_by_external_id(params[:id]) (line 57) based solely on the user-provided external_id from the URL (params[:id]). It then calls @purchase.unsubscribe_buyer (line 58) without verifying if the request originates from the legitimate owner of the purchase or an authorized user.
Impact:
An attacker who obtains a valid external_id for any purchase (e.g., through leakage in URLs, emails, or other responses) can call the unsubscribe endpoint (likely DELETE /purchases/:id/unsubscribe or similar route) for that purchase. This will trigger the unsubscribe_buyer method on the purchase object, unsubscribing the legitimate buyer from the seller's email communications without authorization. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability.
Recommendation:
Implement proper authorization checks for the unsubscribe action. Consider one of the following:
- Remove
unsubscribefromPUBLIC_ACTIONSand enforce authentication. Check ifcurrent_useris the purchaser (@purchase.purchaser == current_user) before allowing unsubscription. - If unauthenticated unsubscription is required (e.g., via email links), implement a secure token-based mechanism (e.g., a signed URL with an expiry sent to the user's email) instead of relying solely on the
external_id.