Private File IDOR via raw/direct endpoints

GHSA : https://github.com/FlintSH/Flare/security/advisories/GHSA-gwqr-xf5c-5569 
 CVE : CVE-2026-30231 
 Summary 
 The raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the content, which is inconsistent with stricter checks used by other endpoints 
 
 Evidence (Code References) 
 
 raw route predicate: raw/route.ts:L92-L97 
 direct route predicate: direct/route.ts:L35-L40 
 download route correct check: download/route.ts:L36-L45 
 thumbnail route correct check: thumbnail/route.ts:L32-L45 
 
 Impact 
 
 Confidential private files can be accessed by any authenticated user if the URL is known. 
 Violates access control consistency across file endpoints. 
 
 Expected vs Actual 
 
 Expected: Private files should be accessible only to the owner or admin. 
 Actual: Private files are accessible to any authenticated user on raw/direct routes. 
 
 Minimal Logic Reproduction (non‑network) 
 This demonstrates the misclassification using the same predicates. 
 type Session = { user?: { id: string; role?: 'ADMIN' | 'USER' } } | null

function rawIsPrivate(visibility: 'PUBLIC' | 'PRIVATE', session: Session) {
 return visibility === 'PRIVATE' && !session?.user
}

function directIsPrivate(visibility: 'PUBLIC' | 'PRIVATE', session: Session) {
 return visibility === 'PRIVATE' && !session?.user
}

// Setup: private file owned by A; authenticated B session
const fileVisibility = 'PRIVATE' as const
const sessionB: Session = { user: { id: 'user-B', role: 'USER' } }

// Current behavior in raw/direct:
rawIsPrivate(fileVisibility, sessionB) // false → grants access
directIsPrivate(fileVisibility, sessionB) // false → grants access

// Expected: deny unless owner or admin
function expectedIsPrivate(
 visibility: 'PUBLIC' | 'PRIVATE',
 session: Session,
 ownerId: string
) {
 const isOwner = session?.user?.id === ownerId
 const isAdmin = session?.user?.role === 'ADMIN'
 return visibility === 'PRIVATE' && !isOwner && !isAdmin
}
 
 Affected Components 
 
 raw file endpoint: raw/route.ts 
 direct file endpoint: direct/route.ts 
 
 Remediation 
 Align raw/direct with download/thumbnail: 
 const isOwner = session?.user?.id === file.userId
const isAdmin = session?.user?.role === 'ADMIN'
const isPrivate = file.visibility === 'PRIVATE' && !isOwner && !isAdmin

if (isPrivate) {
 return new Response(null, { status: 404 }) // or 403
}
 
 Consider centralizing access checks in a shared utility to ensure consistency across endpoints. 
 Verification Checklist 
 
 Private file as Owner A:
 
 Unauthenticated user → denied (404/401) 
 Authenticated non‑owner User B → denied 
 Admin → allowed 
 Owner → allowed 
 
 
 Behavior matches download/thumbnail routes. 
 Automated tests added for owner/admin/non‑owner/unauthenticated across raw/direct.