Security Fix 3: Card comment author spoofing (IDOR) via API.

Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !
2025-12-30 06:08:48 +01:00 · 2025-12-29 16:34:00 +02:00 · 2025-12-29 16:34:00 +02:00 · 67cb47173c
commit 67cb47173c
parent 7ed76c180e
2 changed files with 3 additions and 10 deletions
--- a/models/cardComments.js
+++ b/models/cardComments.js
@ -313,8 +313,7 @@ if (Meteor.isServer) {
   *
   * @param {string} boardId the board ID of the card
   * @param {string} cardId the ID of the card
-   * @param {string} authorId the user who 'posted' the comment
-   * @param {string} text the content of the comment
+   * @param {string} comment the content of the comment
   * @return_type {_id: string}
   */
  JsonRoutes.add(
@ -326,7 +325,7 @@ if (Meteor.isServer) {
        const paramCardId = req.params.cardId;
        Authentication.checkBoardAccess(req.userId, paramBoardId);
        const id = CardComments.direct.insert({
-          userId: req.body.authorId,
+          userId: req.userId,
          text: req.body.comment,
          cardId: paramCardId,
          boardId: paramBoardId,
@ -344,7 +343,7 @@ if (Meteor.isServer) {
          cardId: paramCardId,
          boardId: paramBoardId,
        });
-        commentCreation(req.body.authorId, cardComment);
+        commentCreation(req.userId, cardComment);
      } catch (error) {
        JsonRoutes.sendResult(res, {
          code: 200,
--- a/public/api/wekan.yml
+++ b/public/api/wekan.yml
@ -1115,12 +1115,6 @@ paths:
        - multipart/form-data
        - application/json
      parameters:
-        - name: authorId
-          in: formData
-          description: |
-            the user who 'posted' the comment
-          type: string
-          required: true
        - name: comment
          in: formData
          description: the comment value