-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Open
Labels
Awaiting Maintainer ApprovalNeeds review from a maintainer before moving forwardNeeds review from a maintainer before moving forwardBugError or unexpected behaviorsError or unexpected behaviors
Description
p5.js version
Latest
What is your operating system?
None
Web browser and version
all
Actual Behavior
The createProject function in server/controllers/project.controller/createProject.js uses Object.assign() to merge req.body directly into projectValues. Because Object.assign overwrites existing keys, a user field in req.body replaces the req.user._id value that was set one line earlier. This allows an authenticated user to create a project attributed to any other user.
Location:
- File:
server/controllers/project.controller/createProject.js - Lines 9–13 (
createProject) and Line 36 (apiCreateProject)
Vulnerable code in createProject:
let projectValues = {
user: req.user._id // set correctly…
};
projectValues = Object.assign(projectValues, req.body); // …then overwritten by req.body.userVulnerable code in apiCreateProject:
const params = Object.assign({ user: req.user._id }, req.body); // same issueNote:
apiCreateProjecthas a partial mitigation — it checksreq.user.username !== req.params.usernameat line 63 — butcreateProjecthas no such check.
Expected Behavior
The user field should always be set to the authenticated user's ID (req.user._id) and must never be overwritable via the request body.
Steps to reproduce
- Authenticate as any user
- Send a
POSTto/editor/projectswith a session cookie and:{ "name": "Test", "user": "<victim_user_id>" } - Observe the response — the created project's
userfield (oruser.username) is<victim_user_id>(or victim's username), not the authenticated user's ID/username
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
Awaiting Maintainer ApprovalNeeds review from a maintainer before moving forwardNeeds review from a maintainer before moving forwardBugError or unexpected behaviorsError or unexpected behaviors