Skip to content

fix: prevent mass-assignment of user field in createProject and apiCreateProject #3876#3889

Open
Nixxx19 wants to merge 2 commits intoprocessing:developfrom
Nixxx19:fix/mass-assignment-vulnerability-3876
Open

fix: prevent mass-assignment of user field in createProject and apiCreateProject #3876#3889
Nixxx19 wants to merge 2 commits intoprocessing:developfrom
Nixxx19:fix/mass-assignment-vulnerability-3876

Conversation

@Nixxx19
Copy link
Contributor

@Nixxx19 Nixxx19 commented Feb 14, 2026

Fixes #3876

Changes:

Problem

The createProject and apiCreateProject functions in server/controllers/project.controller/createProject.js used Object.assign() in a way that allowed req.body.user to overwrite the authenticated user's ID (req.user._id). This meant an authenticated user could create a project attributed to any other user by including a spoofed user field in the request body.

Vulnerable code in createProject:

let projectValues = {
  user: req.user._id          // set correctly…
};
projectValues = Object.assign(projectValues, req.body);  // …then overwritten by req.body.user

Vulnerable code in apiCreateProject:

const params = Object.assign({ user: req.user._id }, req.body);  // same issue

Fix

Swapped the Object.assign() argument order in both functions so that { user: req.user._id } is always the last argument, ensuring the authenticated user's ID can never be overridden by the request body.

Fixed createProject:

const projectValues = Object.assign({}, req.body, { user: req.user._id });

Fixed apiCreateProject:

const params = Object.assign({}, req.body, { user: req.user._id });

S3 Impact

Confirmed that neither createProject nor apiCreateProject performs any S3 operations directly. S3 uploads are handled separately via the /S3/sign endpoint. This fix does not affect S3 file paths or uploads.

Verification

Tested locally by sending a POST request with a spoofed user ID (555555555555555555555555) in the request body. The response correctly shows the authenticated user's ID and username, confirming the fix works as expected.

Screenshot 2026-02-14 at 10 31 02 PM

I have verified that this pull request:

  • has no linting errors (npm run lint)
  • has no test errors (npm run test)
  • has no typecheck errors (npm run typecheck)
  • is from a uniquely-named feature branch and is up to date with the develop branch.
  • is descriptively named and links to an issue number, i.e. Fixes #3876
  • meets the standards outlined in the accessibility guidelines

@Nixxx19 Nixxx19 mentioned this pull request Feb 14, 2026
Open
@Iron-56
Copy link
Contributor

Iron-56 commented Feb 15, 2026

Looks good, I have verified it @raclim

Image

@Nixxx19
Copy link
Contributor Author

Nixxx19 commented Feb 15, 2026

Thanks for verifying that @Iron-56, appreciate the quick look!

Since we're on a roll, would you mind sharing your thoughts on #3875 when you have a second? It’s a Mass-Assignment vulnerability in updateProject. I’d love to get your perspective on it before I dive into the fix.

@Nixxx19 Nixxx19 changed the title fix: prevent mass-assignment of user field in createProject and apiCreateProject fix: prevent mass-assignment of user field in createProject and apiCreateProject #3876 Feb 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Mass-Assignment Vulnerability in createProject — User Field Overwrite

2 participants

@Nixxx19 @Iron-56