Advisories for Golang/Go.senan.xyz/Gonic package

In gonic, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can: Delete any playlist owned by any other user (including admin) by passing its id. Read the full contents (name, comment, song list) of any other user's private (non-public) playlist by passing its id. The Subsonic playlist id is base64url("<userID>/<filename>.m3u"). Because filenames are user-supplied or time-derived and …

The maintainer's recent fix in 6dd71e6a3c966867ef8c900d359a7df75789f410 (fix(subsonic): enforce playlist ownership on getPlaylist/deletePlaylist) added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controlled playlist ID, with no path containment on the resolved file path. Any authenticated Subsonic user can therefore bypass the ownership check and: Read any other user's playlist (name, comment, IsPublic flag, song list) by crafting a base64-encoded playlist ID …

A logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user (including non-admin) to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with 0o777 permissions. The bug is independent of the playlist ownership IDOR fixed in 6dd71e6: it is an unreachable guard clause combined with no path containment in Store.Write.