Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix privilege escalation vulnerability in updateRole #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ldsgroups225 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix privilege escalation vulnerability in updateRole #232

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,7 @@
**Vulnerability:** Internal system error messages (`error.originalError.message`) were leaked in API 500 error responses in `apps/data-service/src/hono/routes/demo.ts`.
**Learning:** Returning unhandled database or internal system errors directly to the client can leak sensitive information about the backend architecture.
**Prevention:** Always sanitize error messages returned in JSON responses. Log detailed errors on the server, but return generic messages (e.g. `error.message` of a custom domain error rather than the original system error) to the client.
## 2025-03-18 - [Fix Privilege Escalation Vulnerability in updateRole]
**Vulnerability:** Tenants can modify system roles because `updateRole` lacks an `isSystemRole` check.
**Learning:** System roles (roles with `isSystemRole: true`) must be protected from modification by individual tenants to prevent privilege escalation.
**Prevention:** Always check `isSystemRole` and throw a validation error before updating or deleting a role.
Comment on lines +18 to +21
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Verify the entry date.

The date 2025-03-18 appears inconsistent with the PR creation date (April 2026). If this is a historical record of when the vulnerability was discovered, consider clarifying. Otherwise, update to the current date.

The documentation content itself accurately describes the vulnerability, learning, and prevention measures.

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 18 - 21, The header line "## 2025-03-18 -
[Fix Privilege Escalation Vulnerability in updateRole]" has an inconsistent
date; either update that date to the PR/current date (April 2026) or clarify it
as the original discovery date (e.g., append "(discovered 2025-03-18)") so
readers aren’t confused; edit the header string to reflect the correct date or
add the parenthetical clarification while leaving the rest of the entry (the
vulnerability, learning, and prevention text) unchanged.

6 changes: 6 additions & 0 deletions packages/data-ops/src/queries/school-admin/roles.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,12 @@ export function updateRole(
throw new DatabaseError('NOT_FOUND', SCHOOL_ERRORS.ROLE_NOT_FOUND)
}

const role = roleResult.value

if (role.isSystemRole) {
throw new DatabaseError('VALIDATION_ERROR', 'Cannot modify system roles')
Comment on lines +129 to +130
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Allow privileged updates to system roles

This unconditional guard blocks all updates to isSystemRole records, including the core admin flow that calls updateRole for platform role management (apps/core/src/core/functions/roles.ts:65-70). Because updateRole has no caller-context check, core users now get VALIDATION_ERROR when editing built-in system roles, which is a regression from prior behavior and broader than the stated tenant-only restriction.

Useful? React with πŸ‘Β / πŸ‘Ž.

}

const [updated] = await db
.update(roles)
.set({
Expand Down
Loading