Private project assets exposed without authorization check

[Nixxx19]

p5.js version

latest

What is your operating system?

Mac OS

Web browser and version

all

Actual Behavior

getProjectAsset() serves project assets (files, images) for any project ID without checking visibility. Anyone who knows or guesses a project ID can access Private project assets. Project listing correctly filters by visibility; this endpoint does not.

Location: server/controllers/project.controller.js lines 104–137

Vulnerable routes: /full/:project_id/*, /embed/:project_id/*, /:username/sketches/:project_id/*, /present/:project_id/*

Expected Behavior

Private project assets should be served only to the project owner (or not at all for unauthenticated users). Public projects may be served to anyone.

Steps to reproduce

1. Create a project and set visibility to Private.
2. Add an asset (e.g. image) to the project.
3. While logged out (or as another user), open the asset URL: e.g. https://editor.p5js.org/full/<project_id>/<asset_path>.
4. Observe that the private asset is returned (200) instead of 403.

Snippet:

// server/controllers/project.controller.js - getProjectAsset()
// Currently no visibility check before serving:
const project = await Project.findOne({ $or: [{ _id: projectId }, { slug: projectId }] })...
// ... then directly serves resolvedFile.content or fetches resolvedFile.url

[Nixxx19]

Hi @raclim!

I'd love to work on this issue and submit the fix for it.

[raclim]

Thanks for looking into this @Nixxx19, just assigned!

Also as a heads up, for security-related issues we recommend sending them to responsible.disclosure@processingfoundation.org to prevent someone with malicious intent to who may exploit these vulnerabilities. More information about this can be found in the p5.js library's Security Documentation.

[Nixxx19]

Thanks for the heads up @raclim. I'll send security-related issues to responsible.disclosure@processingfoundation.org going forward. PR #3968 is ready for review when you have a chance.