Skip to content

Fix: mass assignment update project #3875#3893

Open
Nixxx19 wants to merge 3 commits intoprocessing:developfrom
Nixxx19:fix-mass-assignment-updateProject-3875
Open

Fix: mass assignment update project #3875#3893
Nixxx19 wants to merge 3 commits intoprocessing:developfrom
Nixxx19:fix-mass-assignment-updateProject-3875

Conversation

@Nixxx19
Copy link
Contributor

@Nixxx19 Nixxx19 commented Feb 15, 2026

Fixes #3875

Changes

  • Whitelist allowed fields in updateProject (name, files, updatedAt, visibility) so user, slug, etc. can't be overwritten via the request body.
  • Mark user and slug as immutable: true in the Project schema so ownership and URL can't be changed via updates.
  • Add tests for updateProject: 404, 403, whitelist (user/slug in body ignored), and that allowed fields are applied.

updateProject tests (all passing):

Screenshot 2026-02-15 at 2 09 03 PM

I have verified that this pull request:

  • has no linting errors (npm run lint)
  • has no test errors (npm run test)
  • has no typecheck errors (npm run typecheck)
  • is from a uniquely-named feature branch and is up to date with the develop branch.
  • is descriptively named and links to an issue number, i.e. Fixes #3875
  • meets the standards outlined in the accessibility guidelines

@Iron-56
Copy link
Contributor

Iron-56 commented Feb 18, 2026

@raclim could you merge the PR? I have verified both the working and the test file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Mass-Assignment Vulnerability in updateProject

2 participants

Comments