security: CRITICAL IDOR-Fix auf Stressfrei-Email-Sub-Routes
Pentest hat einen echten Credential-Exfiltration-Angriff erfolgreich
durchgespielt: als Portal-User von Kunde A komplette Klartext-IMAP/SMTP-
Zugangsdaten der Mailbox von Kunde B abgreifbar.
Root Cause: GET /api/stressfrei-emails/:id hatte canAccessStressfreiEmail-
Check, ALLE 8 Sub-Endpoints unter :id/* hatten nur `authenticate +
requirePermission('customers:read')` — was jeder Portal-User de facto hat.
Betroffene Controller (alle gefixt mit canAccessStressfreiEmail als erster
Zeile):
stressfreiEmail.controller.ts:
- updateEmail (PUT /:id)
- deleteEmail (DELETE /:id)
- resetPassword (POST /:id/reset-password)
cachedEmail.controller.ts:
- getMailboxCredentials (GET /:id/credentials) ← KRITISCHSTER, lieferte
Klartext-IMAP/SMTP-Passwort + Server-Daten der fremden Mailbox
- getFolderCounts (GET /:id/folder-counts)
- syncAccount (POST /:id/sync)
- sendEmailFromAccount (POST /:id/send) — fremde Mailbox zum Versand
missbrauchbar
- enableMailbox (POST /:id/enable-mailbox)
- syncMailboxStatus (POST /:id/sync-mailbox-status)
Security-Monitor: canAccessResourceByCustomerId emittiert bei jedem
Fehlversuch ein ACCESS_DENIED MEDIUM-Event. Threshold-Detection erzeugt
bei >5 Versuchen in 5 min ein CRITICAL SUSPICIOUS-Event + Sofort-Alert.
Live-verifiziert (Portal-User Kunde A versucht Email-ID von Kunde B):
- alle 8 Sub-Routes → HTTP 403
- eigene Email-ID → 200/400 (Ownership-Check OK)
- 8× ACCESS_DENIED MEDIUM im Security-Monitor
Doku in docs/SECURITY-HARDENING.md als Runde 13.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -22,6 +22,7 @@ import {
|
||||
canAccessCustomer,
|
||||
canAccessContract,
|
||||
canAccessCachedEmail,
|
||||
canAccessStressfreiEmail,
|
||||
} from '../utils/accessControl.js';
|
||||
|
||||
// ==================== E-MAIL LIST ====================
|
||||
@@ -214,9 +215,10 @@ export async function unassignFromContract(req: Request, res: Response): Promise
|
||||
}
|
||||
|
||||
// E-Mail-Anzahl pro Ordner für ein Konto
|
||||
export async function getFolderCounts(req: Request, res: Response): Promise<void> {
|
||||
export async function getFolderCounts(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const stressfreiEmailId = parseInt(req.params.id);
|
||||
if (!(await canAccessStressfreiEmail(req, res, stressfreiEmailId))) return;
|
||||
|
||||
const counts = await cachedEmailService.getFolderCountsForAccount(stressfreiEmailId);
|
||||
|
||||
@@ -250,9 +252,10 @@ export async function getContractFolderCounts(req: Request, res: Response): Prom
|
||||
// ==================== SYNC & SEND ====================
|
||||
|
||||
// E-Mails für ein Konto synchronisieren (INBOX + SENT)
|
||||
export async function syncAccount(req: Request, res: Response): Promise<void> {
|
||||
export async function syncAccount(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const stressfreiEmailId = parseInt(req.params.id);
|
||||
if (!(await canAccessStressfreiEmail(req, res, stressfreiEmailId))) return;
|
||||
const fullSync = req.query.full === 'true';
|
||||
|
||||
// Synchronisiert sowohl INBOX als auch SENT
|
||||
@@ -292,9 +295,10 @@ function hasCRLF(value: unknown): boolean {
|
||||
}
|
||||
|
||||
// E-Mail senden
|
||||
export async function sendEmailFromAccount(req: Request, res: Response): Promise<void> {
|
||||
export async function sendEmailFromAccount(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const stressfreiEmailId = parseInt(req.params.id);
|
||||
if (!(await canAccessStressfreiEmail(req, res, stressfreiEmailId))) return;
|
||||
const { to, cc, subject, text, html, inReplyTo, references, attachments, contractId } = req.body;
|
||||
|
||||
// Header-Injection (CRLF) in Empfänger/Betreff ablehnen
|
||||
@@ -624,9 +628,10 @@ export async function getMailboxAccounts(req: Request, res: Response): Promise<v
|
||||
}
|
||||
|
||||
// Mailbox nachträglich aktivieren
|
||||
export async function enableMailbox(req: Request, res: Response): Promise<void> {
|
||||
export async function enableMailbox(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const id = parseInt(req.params.id);
|
||||
if (!(await canAccessStressfreiEmail(req, res, id))) return;
|
||||
|
||||
const result = await stressfreiEmailService.enableMailbox(id);
|
||||
|
||||
@@ -649,9 +654,10 @@ export async function enableMailbox(req: Request, res: Response): Promise<void>
|
||||
}
|
||||
|
||||
// Mailbox-Status mit Provider synchronisieren
|
||||
export async function syncMailboxStatus(req: Request, res: Response): Promise<void> {
|
||||
export async function syncMailboxStatus(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const id = parseInt(req.params.id);
|
||||
if (!(await canAccessStressfreiEmail(req, res, id))) return;
|
||||
|
||||
const result = await stressfreiEmailService.syncMailboxStatus(id);
|
||||
|
||||
@@ -697,9 +703,13 @@ export async function getThread(req: Request, res: Response): Promise<void> {
|
||||
}
|
||||
|
||||
// Mailbox-Zugangsdaten abrufen (IMAP/SMTP)
|
||||
export async function getMailboxCredentials(req: Request, res: Response): Promise<void> {
|
||||
export async function getMailboxCredentials(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const id = parseInt(req.params.id);
|
||||
// Ownership-Check: ohne diesen Check konnte ein Portal-Kunde mit
|
||||
// bekannter Stressfrei-Email-ID die kompletten IMAP/SMTP-Credentials
|
||||
// eines anderen Kunden abrufen (IDOR). Pentest-Finding 2026-05-XX.
|
||||
if (!(await canAccessStressfreiEmail(req, res, id))) return;
|
||||
|
||||
// StressfreiEmail laden
|
||||
const stressfreiEmail = await stressfreiEmailService.getEmailWithMailboxById(id);
|
||||
|
||||
@@ -68,9 +68,11 @@ export async function createEmail(req: Request, res: Response): Promise<void> {
|
||||
}
|
||||
}
|
||||
|
||||
export async function updateEmail(req: Request, res: Response): Promise<void> {
|
||||
export async function updateEmail(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const email = await stressfreiEmailService.updateEmail(parseInt(req.params.id), req.body);
|
||||
const emailId = parseInt(req.params.id);
|
||||
if (!(await canAccessStressfreiEmail(req, res, emailId))) return;
|
||||
const email = await stressfreiEmailService.updateEmail(emailId, req.body);
|
||||
await logChange({
|
||||
req, action: 'UPDATE', resourceType: 'StressfreiEmail',
|
||||
resourceId: email.id.toString(),
|
||||
@@ -85,9 +87,10 @@ export async function updateEmail(req: Request, res: Response): Promise<void> {
|
||||
}
|
||||
}
|
||||
|
||||
export async function deleteEmail(req: Request, res: Response): Promise<void> {
|
||||
export async function deleteEmail(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const emailId = parseInt(req.params.id);
|
||||
if (!(await canAccessStressfreiEmail(req, res, emailId))) return;
|
||||
await stressfreiEmailService.deleteEmail(emailId);
|
||||
await logChange({
|
||||
req, action: 'DELETE', resourceType: 'StressfreiEmail',
|
||||
@@ -142,9 +145,11 @@ export async function syncForwarding(req: AuthRequest, res: Response): Promise<v
|
||||
}
|
||||
}
|
||||
|
||||
export async function resetPassword(req: Request, res: Response): Promise<void> {
|
||||
export async function resetPassword(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const result = await stressfreiEmailService.resetMailboxPassword(parseInt(req.params.id));
|
||||
const emailId = parseInt(req.params.id);
|
||||
if (!(await canAccessStressfreiEmail(req, res, emailId))) return;
|
||||
const result = await stressfreiEmailService.resetMailboxPassword(emailId);
|
||||
if (!result.success) {
|
||||
res.status(400).json({
|
||||
success: false,
|
||||
|
||||
Reference in New Issue
Block a user