Fix BOLA (Broken Object Level Authorization) in Camping

BOLA (Broken Object Level Authorization), formerly known as IDOR, remains the primary vector for unauthorized data exfiltration in micro-frameworks like Camping. The vulnerability occurs when the application relies on user-supplied IDs to retrieve database objects without validating if the authenticated user has the right to access that specific resource. If you're querying the global model space directly from a URL parameter, you're pwned.

The Vulnerable Pattern

module Blog::Controllers
  class Post < R '/post/(\d+)'
    def get(post_id)
      # VULNERABLE: Direct object reference from URI without ownership check.
      # Any authenticated (or even unauthenticated) user can access any post by ID.
      @post = Models::Post.find(post_id)
      render :view
    end
  end
end

The Secure Implementation

The vulnerable code trusts the 'post_id' parameter implicitly, allowing an attacker to iterate through IDs (Insecure Direct Object Reference). The secure implementation mitigates this by using 'relationship scoping'. Instead of querying 'Models::Post.find', we query '@user.posts.find_by'. This forces the SQL query to include a 'WHERE user_id = ?' clause, ensuring that even if an attacker guesses another user's post ID, the application will return a 404/Null because the record doesn't exist within the context of the current session's owner.

module Blog::Controllers
  class Post < R '/post/(\d+)'
    def get(post_id)
      # SECURE: Scope the lookup through the authenticated user's relationship.
      # This ensures the database only returns the record if it belongs to the user.
      @user = Models::User.find(@state.user_id) if @state.user_id
      return redirect(Login) unless @user
  @post = @user.posts.find_by(id: post_id)
  
  if @post.nil?
    @status = 404
    return "Resource not found or access denied."
  end

  render :view
end
end
end