From 47145be3b50632078ff6ab8a808211acd682e309 Mon Sep 17 00:00:00 2001 From: bnematzadeh Date: Tue, 5 Nov 2024 14:24:56 -0700 Subject: [PATCH 1/7] Fix Sensitive Data Exposure --- server/lib/user/user.get.js | 2 ++ server/test/security/user.test.js | 15 +++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 server/test/security/user.test.js diff --git a/server/lib/user/user.get.js b/server/lib/user/user.get.js index e99cb844d7..7e1aa0bcab 100644 --- a/server/lib/user/user.get.js +++ b/server/lib/user/user.get.js @@ -65,6 +65,8 @@ async function get(options) { if (userPlain.picture && userPlain.picture.toString) { userPlain.picture = userPlain.picture.toString('utf8'); } + delete userPlain.password; + delete userPlain.telegram_user_id; return userPlain; }); diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js new file mode 100644 index 0000000000..46ef12f3da --- /dev/null +++ b/server/test/security/user.test.js @@ -0,0 +1,15 @@ +const { expect } = require('chai'); +const { request, authenticatedRequest } = require('../controllers/request.test'); + +describe('/api/v1/user/', () => { + it('should return all users with password - regular user', async () => { + await authenticatedRequest + .get('/api/v1/user?fields=password') + .expect('Content-Type', /json/) + .expect(200) + .then((res)=>{ + console.log(res.body) + }) + }); +}) + From 636ce61f6b4b6d059495fa1108447d926a9f4c8e Mon Sep 17 00:00:00 2001 From: Borna Nematzadeh <74822121+bnematzadeh@users.noreply.github.com> Date: Wed, 6 Nov 2024 00:53:04 -0700 Subject: [PATCH 2/7] Update user.test.js --- server/test/security/user.test.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js index 46ef12f3da..3f652de3fe 100644 --- a/server/test/security/user.test.js +++ b/server/test/security/user.test.js @@ -2,13 +2,13 @@ const { expect } = require('chai'); const { request, authenticatedRequest } = require('../controllers/request.test'); describe('/api/v1/user/', () => { - it('should return all users with password - regular user', async () => { + it('should return all users without password', async () => { await authenticatedRequest .get('/api/v1/user?fields=password') .expect('Content-Type', /json/) .expect(200) .then((res)=>{ - console.log(res.body) + expect(res.body).to.not.have.key('password') }) }); }) From 36ee61ea384a7fe29cf6e5017fcc1b1bb3a115fc Mon Sep 17 00:00:00 2001 From: Borna Nematzadeh <74822121+bnematzadeh@users.noreply.github.com> Date: Fri, 8 Nov 2024 05:35:33 -0700 Subject: [PATCH 3/7] Update user.test.js I modified this test and it passed successfully --- server/test/security/user.test.js | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js index 3f652de3fe..e142cbc348 100644 --- a/server/test/security/user.test.js +++ b/server/test/security/user.test.js @@ -1,15 +1,17 @@ -const { expect } = require('chai'); -const { request, authenticatedRequest } = require('../controllers/request.test'); +const { + expect +} = require('chai'); +const { + request, + authenticatedRequest +} = require('../controllers/request.test'); -describe('/api/v1/user/', () => { - it('should return all users without password', async () => { - await authenticatedRequest - .get('/api/v1/user?fields=password') - .expect('Content-Type', /json/) - .expect(200) - .then((res)=>{ - expect(res.body).to.not.have.key('password') - }) - }); +describe('/api/v1/user/', () = >{ + it('should return all users without password', async() = >{ + await authenticatedRequest.get('/api/v1/user?fields=password').expect('Content-Type', /json/).expect(200).then((res) = >{ + res.body.forEach((user) = >{ + expect(user).to.not.have.property('password'); + }); + }) + }); }) - From 6560f0a4fb02b7bd506ee3dfd334dd36ff5b962c Mon Sep 17 00:00:00 2001 From: Borna Nematzadeh <74822121+bnematzadeh@users.noreply.github.com> Date: Fri, 8 Nov 2024 05:48:57 -0700 Subject: [PATCH 4/7] Update user.test.js --- server/test/security/user.test.js | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js index e142cbc348..79024c0bee 100644 --- a/server/test/security/user.test.js +++ b/server/test/security/user.test.js @@ -1,17 +1,16 @@ -const { - expect -} = require('chai'); -const { - request, - authenticatedRequest -} = require('../controllers/request.test'); +const { expect } = require('chai'); +const { request, authenticatedRequest } = require('../controllers/request.test'); -describe('/api/v1/user/', () = >{ - it('should return all users without password', async() = >{ - await authenticatedRequest.get('/api/v1/user?fields=password').expect('Content-Type', /json/).expect(200).then((res) = >{ - res.body.forEach((user) = >{ - expect(user).to.not.have.property('password'); +describe('/api/v1/user/', () => { + it('should return all users without password', async () => { + await authenticatedRequest + .get('/api/v1/user?fields=password') + .expect('Content-Type', /json/) + .expect(200) + .then((res) => { + res.body.forEach((user) => { + expect(user).to.not.have.property('password'); + }); }); - }) }); -}) +}); From 759dea67fc8dc2be59c5ccf75016e7d0980ac584 Mon Sep 17 00:00:00 2001 From: bnematzadeh Date: Fri, 8 Nov 2024 06:46:44 -0700 Subject: [PATCH 5/7] Update user.test.js --- server/test/security/user.test.js | 1 + 1 file changed, 1 insertion(+) diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js index 79024c0bee..a3101e53bf 100644 --- a/server/test/security/user.test.js +++ b/server/test/security/user.test.js @@ -1,6 +1,7 @@ const { expect } = require('chai'); const { request, authenticatedRequest } = require('../controllers/request.test'); +// updated describe('/api/v1/user/', () => { it('should return all users without password', async () => { await authenticatedRequest From 9b42e71cf82f8ed372aefecc412bb589081071b2 Mon Sep 17 00:00:00 2001 From: bnematzadeh Date: Fri, 8 Nov 2024 07:15:49 -0700 Subject: [PATCH 6/7] Update user.test.js --- server/test/security/user.test.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js index a3101e53bf..3bb9aaa16b 100644 --- a/server/test/security/user.test.js +++ b/server/test/security/user.test.js @@ -1,7 +1,6 @@ const { expect } = require('chai'); -const { request, authenticatedRequest } = require('../controllers/request.test'); +const { authenticatedRequest } = require('../controllers/request.test'); -// updated describe('/api/v1/user/', () => { it('should return all users without password', async () => { await authenticatedRequest From 08554b0224a708adb203b6749d5c7cf149ba5a13 Mon Sep 17 00:00:00 2001 From: bnematzadeh Date: Sat, 9 Nov 2024 07:56:40 -0700 Subject: [PATCH 7/7] Fix sessions exposure in session.get.js --- server/lib/session/session.get.js | 2 ++ server/test/security/session.test.js | 17 +++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 server/test/security/session.test.js diff --git a/server/lib/session/session.get.js b/server/lib/session/session.get.js index 90fe07e1eb..415c6afa84 100644 --- a/server/lib/session/session.get.js +++ b/server/lib/session/session.get.js @@ -9,6 +9,7 @@ const DEFAULT_OPTIONS = { const FIELDS = [ 'id', + 'user_id', 'token_type', 'scope', 'valid_until', @@ -37,6 +38,7 @@ async function get(userId, options) { order: [[optionsWithDefault.order_by, optionsWithDefault.order_dir]], where: { revoked: false, + user_id: userId, }, }); diff --git a/server/test/security/session.test.js b/server/test/security/session.test.js new file mode 100644 index 0000000000..fbd0dc791b --- /dev/null +++ b/server/test/security/session.test.js @@ -0,0 +1,17 @@ +const { expect } = require('chai'); +const { authenticatedRequest } = require('../controllers/request.test'); + +describe('/api/v1/session/', () => { + it('should return the sessionIds of current user', async () => { + await authenticatedRequest + .get('/api/v1/session') + .expect('Content-Type', /json/) + .expect(200) + .then(async (res) => { + const userId = '0cd30aef-9c4e-4a23-88e3-3547971296e5'; + res.body.forEach((u) => { + expect(u.user_id).to.be.equal(userId); + }); + }); + }); +});