Tuist Server Cross-Tenant Preview Deletion Vulnerability via Insecure API Endpoint

A vulnerability exists in Tuist Server versions through 1.180.8, specifically in the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint. This endpoint deletes previews based on their UUID without verifying if the preview belongs to the project specified in the URL. The project's authorization check is misapplied, allowing users to delete previews from other projects. Any user with access to at least one of their own projects can exploit this issue to delete arbitrary previews in different tenants by using the UUID of the preview to be deleted. The vulnerability affects both Tuist Cloud and self-hosted deployments.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of previews and their associated build records from any project within the user's organization.

Reproduction

To reproduce this vulnerability, an authenticated user with access to at least one project can send a DELETE request to the previews deletion endpoint, specifying a preview UUID that belongs to a different project. The absence of proper authorization checks will result in the deletion of the specified preview, regardless of its project affiliation.

Remediation

Users are advised to upgrade to the latest version of Tuist Server, where this vulnerability has been addressed.