Skip to content

🐛 Fix authorization bypass in getLinkedTypebots (GHSA-3fr5-999r-84qj)#2434

Merged
baptisteArno merged 1 commit intomainfrom
baptisteArno/fix-ghsa-3fr5-999r-84qj
Apr 7, 2026
Merged

🐛 Fix authorization bypass in getLinkedTypebots (GHSA-3fr5-999r-84qj)#2434
baptisteArno merged 1 commit intomainfrom
baptisteArno/fix-ghsa-3fr5-999r-84qj

Conversation

@baptisteArno
Copy link
Copy Markdown
Owner

@baptisteArno baptisteArno commented Apr 7, 2026

Summary

  • Fix broken authorization check in getLinkedTypebots where Array.filter() received an async callback, causing the isReadTypebotForbidden predicate to never actually filter out unauthorized typebots (Promise is always truthy)
  • Replace with Promise.all + synchronous .filter() to properly evaluate access checks
  • Any authenticated user could previously read full bot definitions (variables, groups, webhooks) from other workspaces via a Typebot Link block reference

Test plan

  • Verify that linked typebots the user has access to are still returned correctly
  • Verify that linked typebots from other workspaces the user does NOT have access to are no longer returned

🤖 Generated with Claude Code

@baptisteArno @claude
🐛 Fix authorization bypass in getLinkedTypebots (GHSA-3fr5-999r-84qj)
6ab6437 
Replace async callback in synchronous Array.filter() with Promise.all
to properly evaluate isReadTypebotForbidden for linked typebots.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
viewer-v2 Building Building Preview, Comment Apr 7, 2026 3:15pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
builder-v2 Ignored Ignored Preview Apr 7, 2026 3:15pm
landing-page-v2 Ignored Ignored Apr 7, 2026 3:15pm

Request Review

@baptisteArno baptisteArno enabled auto-merge (squash) April 7, 2026 15:15
@baptisteArno baptisteArno merged commit b9530a0 into main Apr 7, 2026
10 checks passed
@baptisteArno baptisteArno deleted the baptisteArno/fix-ghsa-3fr5-999r-84qj branch April 7, 2026 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@baptisteArno