fix(security): validate page belongs to application in partial export (GHSA-9xfc-9f97-x524)

[subrata71]

Description

Fixes a BOLA/IDOR vulnerability (GHSA-9xfc-9f97-x524, CVSS 6.5 Medium) in the partial application export endpoint.

Root cause: POST /api/v1/applications/export/partial/{branchedApplicationId}/{branchedPageId} authorized the branchedApplicationId but used the attacker-controlled branchedPageId to fetch page-scoped resources (actions, JS collections, page names) without verifying the page belongs to the authorized application. An authenticated user could mix their own application ID with a victim's page ID to export private resources from another application.

Fix: Add page-application relationship validation in PartialExportServiceCEImpl.getPartialExportResources(). After authorizing the application, the page is looked up and verified to belong to that application. If the page doesn't belong, the request is rejected with PAGE_DOESNT_BELONG_TO_APPLICATION (400 Bad Request). This mirrors the established pattern in ApplicationPageServiceCEImpl.makePageDefault().

Files changed:

• PartialExportServiceCEImpl.java — add validatedPageIdMono step before page-scoped operations
• PartialExportServiceTest.java — add regression test: cross-application page ID is rejected

Fixes APP-15244

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/26208533855
Commit: 88b12ce
Cypress dashboard.
Tags: @tag.All
Spec:

---

Thu, 21 May 2026 08:30:15 UTC

Summary by CodeRabbit

• Bug Fixes

  • Partial export now validates that selected pages exist and belong to the specified application. Missing pages and pages from other applications are rejected with clear error messages.

• Tests

  • Added test coverage to verify partial export rejects pages that belong to different applications.

[coderabbitai]

Walkthrough

This PR adds page ownership validation to the partial export service: it verifies the requested page exists and belongs to the specified application before continuing the export pipeline, and includes a test that asserts cross-application page export is rejected.

Changes

BOLA Protection in Partial Export

Layer / File(s)	Summary
Page ownership validation in partial export app/server/appsmith-server/src/main/java/com/appsmith/server/exports/internal/partial/PartialExportServiceCEImpl.java	getPartialExportResources validates that branchedPageId refers to a page existing within branchedApplicationId via reactive validatedPageIdMono. Errors with NO_RESOURCE_FOUND for missing pages or PAGE_DOESNT_BELONG_TO_APPLICATION for ownership mismatches. The reactive chain is updated to enforce validation before proceeding.
BOLA cross-application rejection test app/server/appsmith-server/src/test/java/com/appsmith/server/solutions/PartialExportServiceTest.java	New test testGetPartialExport_crossApplicationPageId_rejected constructs attacker and victim applications, attempts cross-app page export, and verifies rejection with PAGE_DOESNT_BELONG_TO_APPLICATION error. Test imports updated to include AppsmithError and AppsmithException.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

ok-to-test

Suggested reviewers

• wyattwalter
• sondermanish

Poem

A page once wandered freely between app and app,
Now validation guards the gate with an earnest snap,
Cross-app IDs are checked and halted at the door,
BOLA’s attempt denied — exports safe once more. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main security fix: validating page ownership in partial export to address a BOLA/IDOR vulnerability.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description comprehensively addresses the BOLA/IDOR vulnerability, includes root cause analysis, fix details, affected files, and relevant links.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/partial-export-bola-ghsa-9xfc

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sondermanish]

Added a change request, please let me know if it's a valid request

[sondermanish]

There is another call to the page collection in the same flow, let's combine them both to avoid two calls?