trace_cd1149a3884a4a6482155d477627f362

Start from http/public.go, especially the public share access wrapper identified in the advisory, and compare it with the permission guard in http/share.go. This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Ground the report in the exact request path, the user/share lookup flow, and the missing permission re-validation before serving public downloads.

{
  "executiveSummary": "The public share download/listing flow in `http/public.go` loads a share link by hash and then resolves the share owner, but it never re-checks the owner's current `Share` and `Download` permissions before serving content. In contrast, share creation and management in `http/share.go` are guarded by `withPermShare`, which explicitly requires both permissions. As a result, a share link created while the owner had permission remains usable through `/api/public/share/{hash}` and `/api/public/dl/{hash}` even after the owner's `Share` or `Download` permission is later revoked.",
  "reports": [
    {
      "title": "Public share access does not re-validate owner's Share and Download permissions",
      "severity": "HIGH",
      "summary": "Requests to `/api/public/share/{hash}` and `/api/public/dl/{hash}` are handled through `withHashFile`, which retrieves the share by hash, authenticates optional share password/token, loads the owner user record, and serves the file/directory without verifying that the owner still has `Perm.Share` and `Perm.Download`. The intended policy is shown in `http/share.go`, where `withPermShare` blocks share operations unless both permissions are currently enabled.",
      "rootCauseAnalysis": "`http/public.go`'s `withHashFile` path performs `d.store.Share.GetByHash(id)`, `authenticateShareRequest`, and `d.store.Users.Get(..., link.UserID)`, then directly constructs `files.NewFileInfo` and dispatches to `publicShareHandler` or `publicDlHandler`. There is no check equivalent to `if !d.user.Perm.Share || !d.user.Perm.Download { return http.StatusForbidden, nil }`. Meanwhile, `http/share.go` defines `withPermShare` and applies it to share creation/listing/deletion, demonstrating that public sharing is supposed to require both `Share` and `Download` permissions. Because the public-serving path omits this validation, revoking those permissions from the share owner does not invalidate previously issued share links.",
      "impact": "An administrator who revokes a user's `Share` and/or `Download` permission may believe the user can no longer expose files, but any previously created public links remain functional. Anyone possessing the existing link hash (and password/token if configured) can continue listing shared directories and downloading files from the owner's filesystem scope. This causes persistent unauthorized disclosure after permission revocation.",
      "attackPath": "1. A user with `Perm.Share=true` and `Perm.Download=true` creates a share via the guarded `/api/share...` flow.\n2. The share record persists with `Hash`, `Path`, and `UserID`.\n3. Later, an administrator revokes the owner's `Share` or `Download` permission.\n4. An unauthenticated requester calls `/api/public/share/{hash}` or `/api/public/dl/{hash}`.\n5. `withHashFile` looks up the link via `Share.GetByHash`, authenticates only the share password/token, loads the owner with `Users.Get`, and serves the file through `files.NewFileInfo