MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · easterbrooka/mike · this thread

easterbrooka closes a document-leak hole in tabular review

A free-tier user could have tricked the server into reading documents they didn't own and handing back the contents.

securitydiscovery

The tabular review feature - the part of Mike that runs an AI over a set of documents and fills in a spreadsheet of answers - was accepting whatever document IDs the caller sent, without checking the caller could actually see those documents. A determined attacker on a free account could drop someone else's document IDs into their own review, let the server fetch the files from storage, run an extraction over them, and read the results back through the normal review screen.

easterbrooka added an access check at every door into that feature: creating a review, editing one, regenerating a single cell, and the bulk generation path. Unauthorised IDs are quietly dropped rather than throwing an error, so existing reviews with stale references keep working. The fix was credited to an automated scanner plus manual review, and merged within a minute of opening.

So what Anyone running Mike in production - especially on a multi-tenant or freemium footing - should pull this fix immediately.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?