fix(comments): prevent IDOR in WebDAV comments API (#41558)

* test(comments): stub objectType/objectId in EntityCollection happy-path tests

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* test(comments): add failing IDOR regression tests for EntityCollection

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix(comments): prevent IDOR in WebDAV comments API by checking comment ownership

An authenticated user could PROPFIND/DELETE/PROPPATCH any comment by
supplying an arbitrary comment_id paired with any file_id they own.
EntityCollection::getChild() and childExists() now verify that the
fetched comment's objectType and objectId match the collection's own
entity type and file ID before returning or confirming the node.

Fixes OC10-53

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* docs: add changelog entry for OC10-53 IDOR fix in WebDAV comments API

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

---------

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: DeepDiver1975

apps/comments/lib/Dav/EntityCollection.php

@@ -98,6 +98,10 @@ public function getId() {
 	public function getChild($name) {
 		try {
 			$comment = $this->commentsManager->get($name);
+			// objectType/objectId identify the entity (e.g. file) the comment is attached to
+			if ($comment->getObjectType() !== $this->name || $comment->getObjectId() !== $this->id) {
+				throw new NotFound();
+			}
 			return new CommentNode(
 				$this->commentsManager,
 				$comment,
@@ -151,8 +155,10 @@ public function findChildren($limit = 0, $offset = 0, \DateTime $datetime = null
 	 */
 	public function childExists($name) {
 		try {
-			$this->commentsManager->get($name);
-			return true;
+			$comment = $this->commentsManager->get($name);
+			// objectType/objectId identify the entity (e.g. file) the comment is attached to
+			return $comment->getObjectType() === $this->name
+				&& $comment->getObjectId() === $this->id;
 		} catch (NotFoundException $e) {
 			return false;
 		}

apps/comments/tests/unit/Dav/EntityCollectionTest.php

@@ -70,10 +70,14 @@ public function testGetId(): void {
 	}
 
 	public function testGetChild(): void {
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('files');
+		$comment->method('getObjectId')->willReturn('19');
+
 		$this->commentsManager->expects($this->once())
 			->method('get')
 			->with('55')
-			->will($this->returnValue($this->createMock(IComment::class)));
+			->willReturn($comment);
 
 		$node = $this->collection->getChild('55');
 		$this->assertInstanceOf(\OCA\Comments\Dav\CommentNode::class, $node);
@@ -118,6 +122,15 @@ public function testFindChildren(): void {
 	}
 
 	public function testChildExistsTrue(): void {
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('files');
+		$comment->method('getObjectId')->willReturn('19');
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('44')
+			->willReturn($comment);
+
 		$this->assertTrue($this->collection->childExists('44'));
 	}
 
@@ -129,4 +142,60 @@ public function testChildExistsFalse(): void {
 
 		$this->assertFalse($this->collection->childExists('44'));
 	}
+
+	public function testGetChildWrongFile(): void {
+		$this->expectException(\Sabre\DAV\Exception\NotFound::class);
+
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('files');
+		$comment->method('getObjectId')->willReturn('999'); // different file
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('55')
+			->willReturn($comment);
+
+		$this->collection->getChild('55');
+	}
+
+	public function testGetChildWrongObjectType(): void {
+		$this->expectException(\Sabre\DAV\Exception\NotFound::class);
+
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('albums'); // wrong type
+		$comment->method('getObjectId')->willReturn('19');
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('55')
+			->willReturn($comment);
+
+		$this->collection->getChild('55');
+	}
+
+	public function testChildExistsWrongFile(): void {
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('files');
+		$comment->method('getObjectId')->willReturn('999'); // different file
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('44')
+			->willReturn($comment);
+
+		$this->assertFalse($this->collection->childExists('44'));
+	}
+
+	public function testChildExistsWrongObjectType(): void {
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('albums'); // wrong type
+		$comment->method('getObjectId')->willReturn('19');
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('44')
+			->willReturn($comment);
+
+		$this->assertFalse($this->collection->childExists('44'));
+	}
 }

changelog/unreleased/41558

@@ -0,0 +1,5 @@
+Fix: Prevent IDOR in WebDAV comments API
+
+Authenticated users could read, edit, or delete comments on files they have no access to by supplying an arbitrary comment ID in the WebDAV comments endpoint. The fix verifies that a requested comment belongs to the file in the URL before returning it.
+
+https://github.com/owncloud/core/pull/41558