Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Sensitive Data Exposure #2158

Merged
merged 6 commits into from
Nov 8, 2024

Conversation

bnematzadeh
Copy link
Contributor

Description

While reviewing the code, I encountered two vulnerabilities: one is the lack of access to call the /v1/user endpoint, and the other is the disclosure of sensitive user information, such as their encrypted passwords, etc. In user.controller.js, there is a function defined as getUsers, and according to the following code in routes.js, we see that it is possible to call this endpoint through a user who is simply logged into the system:

'get /api/v1/user': {
authenticated: true,
controller: userController.getUsers,
}

In getUsers, various parameters can be received through the query string. I came across an interesting parameter named fields, which allows us to set multiple values using commas in the query string and send them. The value of fields is stored in the queryParams variable within the get function and is included in the query. The problem here is that, unlike other application routes that remove the password and other sensitive fields before sending the response, there is no such code in this case to prevent this, and we can read sensitive user fields from the server.
For the proof of concept, I wrote a security test. Before running it, ensure that the request is sent from a user who is not an admin.
test

Copy link

relativeci bot commented Nov 5, 2024

#2852 Bundle Size — 10.25MiB (0%).

9b42e71(current) vs 37f76c4 master#2849(baseline)

Warning

Bundle contains 3 duplicate packages – View duplicate packages

Bundle metrics  no changes
                 Current
#2852
     Baseline
#2849
No change  Initial JS 5.55MiB 5.55MiB
No change  Initial CSS 304.68KiB 304.68KiB
No change  Cache Invalidation 0% 0%
No change  Chunks 51 51
No change  Assets 171 171
No change  Modules 1495 1495
No change  Duplicate Modules 21 21
No change  Duplicate Code 0.84% 0.84%
No change  Packages 124 124
No change  Duplicate Packages 3 3
Bundle size by type  no changes
                 Current
#2852
     Baseline
#2849
No change  JS 7.34MiB 7.34MiB
No change  IMG 2.48MiB 2.48MiB
No change  CSS 321.47KiB 321.47KiB
No change  Fonts 93.55KiB 93.55KiB
No change  Other 17.62KiB 17.62KiB
No change  HTML 13.58KiB 13.58KiB

Bundle analysis reportBranch bnematzadeh:gladys-sec-1Project dashboard


Generated by RelativeCIDocumentationReport issue

Copy link
Contributor

@Pierre-Gilles Pierre-Gilles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR 🙏
I wrote 2 small comments on the unit test 🙂

server/test/security/user.test.js Outdated Show resolved Hide resolved
server/test/security/user.test.js Outdated Show resolved Hide resolved
@bnematzadeh bnematzadeh changed the title Fix Broken Function Level Authorization & Sensitive Data Exposure Vulnerabilities Fix Sensitive Data Exposure Nov 6, 2024
Copy link
Contributor

@Pierre-Gilles Pierre-Gilles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems you forgot to run prettier

server/test/security/user.test.js Outdated Show resolved Hide resolved
I modified this test and it passed successfully
@Pierre-Gilles
Copy link
Contributor

@bnematzadeh There is an issue with eslint in your file, let me know if you need help fixing it

@bnematzadeh
Copy link
Contributor Author

@bnematzadeh There is an issue with eslint in your file, let me know if you need help fixing it

Prettier was run on this code before the commit, but I don’t know what the issue is. Can you help me?

@Pierre-Gilles
Copy link
Contributor

Screenshot 2024-11-08 at 14 52 06

Copy link

codecov bot commented Nov 8, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.50%. Comparing base (216f637) to head (9b42e71).
Report is 3 commits behind head on master.

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #2158   +/-   ##
=======================================
  Coverage   98.50%   98.50%           
=======================================
  Files         867      867           
  Lines       14243    14245    +2     
=======================================
+ Hits        14030    14032    +2     
  Misses        213      213           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@Pierre-Gilles Pierre-Gilles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! Thanks for this PR! :)

@Pierre-Gilles Pierre-Gilles merged commit c524f73 into GladysAssistant:master Nov 8, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants