[Security] Hidden attachments exposed in batch request zip downloads

12 views
Skip to first unread message

Graeme Porteous

unread,
Mar 26, 2026, 8:33:25 AMMar 26
to alavet...@googlegroups.com

We've discovered and patched an issue where attachments with a hidden prominence can be included in batch request zip downloads, bypassing their visibility restrictions.

We've released a fix in 0.45.5.0 [1] and 0.46.3.0 [2]. If you are running an older version of Alaveteli please see the pull request and patch your Alaveteli as appropriate [3].

# Summary and impact

`FoiAttachment` gained its own `prominence` field, independent of its parent `IncomingMessage`, allowing individual attachments to be hidden or restricted to the requester. However, the batch request zip download service (`InfoRequestBatchZip`) only checked the prominence of the parent `IncomingMessage` - it did not also check the prominence of each `FoiAttachment`. As a result, a hidden attachment could be included in a zip download by a user who would not otherwise be permitted to access it.

This problem only affects downloading zip files of batch requests and is limited to only Pro users downloading their own batch requests.

# Fix

We've updated `InfoRequestBatchZip#prepare_foi_attachment` to check `can?(:read, attachment)` in addition to the existing `can?(:read, message)` check. See pull request [3].

# Checking affected content

You can run the following script to identify attachments that have restricted prominence and whose parent incoming message does not share the same restriction (i.e. attachments that relied solely on their own prominence for protection), and belong to a request in a batch:


```ruby
FoiAttachment.joins(incoming_message: :info_request).where(prominence: 'hidden').where.not(incoming_messages: { prominence: 'hidden' }).merge(InfoRequest.via_batch).ids
```


You can map these IDs to information in the admin UI and/or server logs to assess impact and severity in your specific install. Let us know if you need any assistance in diagnosing this issue.

# Affected versions


Versions 0.42.0.0 through to 0.45.4.1 and 0.46.0.0 through to 0.46.2.1 are affected.

# Fixed versions

We've released a fix in 0.45.5.0 [1] and 0.46.3.0 [2]. If you are running an older version of Alaveteli please see the pull request and patch your Alaveteli as appropriate [3].

Please reach out to us if you have any questions,

Best,
Graeme

[1] https://github.com/mysociety/alaveteli/releases/tag/0.45.5.0
[2] https://github.com/mysociety/alaveteli/releases/tag/0.46.3.0
[3] https://github.com/mysociety/alaveteli/pull/9179

--
Graeme Porteous

Reply all
Reply to author
Forward
0 new messages