Predictable Internal ID

Hard+200 XPA01:2021 Broken Access ControlCWE-639

BOLAIDOREnumerationPredictable IDs

Scenario

A document management system uses short sequential integers as public-facing document references (publicRef). The getDocument endpoint accepts a string reference, casts it to an integer, and looks up the internal record.

No ownership check is performed before returning the document. Because references are sequential integers starting from 1, an attacker can trivially enumerate all documents by incrementing the value.

Every user's private document is reachable by any authenticated user who guesses the numeric sequence.

Sequential numeric IDs are trivially enumerable. Without an ownership check, any authenticated user can walk the entire document corpus one integer at a time.

Your Tasks

Fix getDocument so it verifies the requesting user owns the document before returning it.
Throw 'Forbidden' when the requester does not own the document.
Throw 'Not found' when no document matches the publicRef.
Return the document object for the legitimate owner.

Examples

Example 1 — Blocked — sequential enumeration

getDocument('alice', '2', documents)
// publicRef 2 belongs to bob
// → throws Error('Forbidden')

Example 2 — Allowed — correct owner

getDocument('alice', '1', documents)
// → returns document with publicRef 1

Constraints

›Only edit the function body — do not change the function signature.
›Throw exactly 'Forbidden' and 'Not found'.
›publicRef values are cast from string to integer for lookup.

Hint

References

CWE-639: Authorization Bypass Through User-Controlled Key OWASP API Security Top 10 — API1:2023 Broken Object Level Authorization CWE-340: Generation of Predictable Numbers or Identifiers

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run