Skip to content

Security: Team-restricted agents can access tickets from other teams via API split/merge endpoints #2086

Description

@lighthousekeeper1212

Summary

The Helpy API has missing team-based authorization checks on several ticket manipulation endpoints, allowing team-restricted agents to access and modify tickets belonging to other teams.

Vulnerability Details

1. API Split Endpoint - Missing Team Check

File: app/controllers/api/v1/topics.rb line 238

The POST /api/v1/tickets/split/:post_id endpoint loads a post by ID without checking if the parent ticket belongs to the agent's team:

post "split/:post_id", root: :topics do
  post = Post.where(id: permitted_params[:post_id]).first  # No team check
  parent_topic = post.topic
  # Creates new topic from the post without team validation
end

Secure comparison: The assign endpoint (line 139-143) properly checks team membership:

post "assign/:id", root: :topics do
  if current_user.is_restricted?
    ticket = Topic.where(id: permitted_params[:id]).all.tagged_with(current_user.team_list).first
  else
    ticket = Topic.where(id: permitted_params[:id]).first
  end

The same is_restricted? + tagged_with(current_user.team_list) pattern is consistently used in show (line 64-68), update_status (line 162-167), update_tags (line 193-198), and update_forum (line 215-220) but is missing from split and merge.

2. API Merge Endpoint - Missing Team Check

File: app/controllers/api/v1/topics.rb line 282

The POST /api/v1/tickets/merge endpoint merges tickets without any team validation:

post "merge", root: :topics do
  @ticket = Topic.merge_topics(params[:topic_ids], params[:user_id])
  # Merges ANY tickets regardless of team restrictions
end

3. Admin merge_tickets/split_topic - Missing from before_action

File: app/controllers/admin/topics_controller.rb line 36

The get_topics_cohort before_action protects bulk operations but excludes merge_tickets and split_topic:

before_action :get_topics_cohort, only: ['update_topic', 'assign_agent', 'unassign_agent', 'toggle_privacy', 'assign_team', 'unassign_team']
# merge_tickets and split_topic are NOT in this list

Impact

A team-restricted agent can:

  • Split posts from tickets belonging to other teams, creating new accessible tickets
  • Merge tickets across team boundaries, gaining access to other teams' ticket content
  • These operations bypass the team-based data isolation that other endpoints enforce

Suggested Fix

Add the is_restricted? + tagged_with team check to split and merge endpoints, and add merge_tickets and split_topic to the get_topics_cohort before_action list.


Found during automated security research by Lighthouse

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions