Metastatic.Analysis.BusinessLogic.InsecureDirectObjectReference (Metastatic v0.10.4)

View Source

Detects Insecure Direct Object Reference (IDOR) vulnerabilities (CWE-639).

This analyzer identifies code patterns where user-supplied IDs are used to directly access resources without verifying ownership or authorization.

Cross-Language Applicability

IDOR is a universal access control vulnerability:

  • Elixir: Repo.get!(Post, params["id"]) without ownership check
  • Python: Post.objects.get(id=request.GET['id'])
  • JavaScript: Post.findById(req.params.id)
  • Ruby: Post.find(params[:id])
  • Java: postRepository.findById(request.getParameter("id"))
  • C#: _context.Posts.Find(id)
  • Go: db.First(&post, id)

Problem

When resources are accessed directly by ID without authorization:

  • Users can access other users' data by guessing/incrementing IDs
  • Horizontal privilege escalation is trivial
  • Data theft and privacy violations

Detection Strategy

Detects patterns where:

  1. Resources are fetched by user-supplied ID
  2. No ownership check (resource.user_id == current_user.id) is apparent
  3. No authorization policy is applied