Fix SECURITY ISSUE 3: Unauthenticated (or any) user can update board sort.

Thanks to Siam Thanat Hack (STH) !
2025-12-16 07:20:12 +01:00 · 2025-11-02 10:13:45 +02:00 · 2025-11-02 10:13:45 +02:00 · ea310d7508
commit ea310d7508
parent 0a2e6a0c38
6 changed files with 119 additions and 23 deletions
--- a/server/lib/tests/boards.security.tests.js
+++ b/server/lib/tests/boards.security.tests.js
@ -0,0 +1,50 @@
+/* eslint-env mocha */
+import { expect } from 'chai';
+import { Random } from 'meteor/random';
+import '../utils';
+
+// Unit tests for canUpdateBoardSort policy
+
+describe('boards security', function() {
+  describe(canUpdateBoardSort.name, function() {
+    it('denies anonymous updates even if fieldNames include sort', function() {
+      const userId = null;
+      const board = {
+        hasMember: () => true,
+      };
+      const fieldNames = ['sort'];
+
+      expect(canUpdateBoardSort(userId, board, fieldNames)).to.equal(false);
+    });
+
+    it('denies updates by non-members', function() {
+      const userId = Random.id();
+      const board = {
+        hasMember: (id) => id === 'someone-else',
+      };
+      const fieldNames = ['sort'];
+
+      expect(canUpdateBoardSort(userId, board, fieldNames)).to.equal(false);
+    });
+
+    it('allows updates when user is a member and updating sort', function() {
+      const userId = Random.id();
+      const board = {
+        hasMember: (id) => id === userId,
+      };
+      const fieldNames = ['sort'];
+
+      expect(canUpdateBoardSort(userId, board, fieldNames)).to.equal(true);
+    });
+
+    it('denies updates when not updating sort', function() {
+      const userId = Random.id();
+      const board = {
+        hasMember: (id) => id === userId,
+      };
+      const fieldNames = ['title'];
+
+      expect(canUpdateBoardSort(userId, board, fieldNames)).to.equal(false);
+    });
+  });
+});
--- a/server/lib/tests/index.js
+++ b/server/lib/tests/index.js
@ -1,2 +1,3 @@
 import './utils.tests';
 import './users.security.tests';
+import './boards.security.tests';
--- a/server/lib/utils.js
+++ b/server/lib/utils.js
@ -24,3 +24,12 @@ allowIsBoardMemberByCard = function(userId, card) {
  const board = card.board();
  return board && board.hasMember(userId);
 };
+
+// Policy: can a user update a board's 'sort' field?
+// Requirements:
+//  - user must be authenticated
+//  - update must include 'sort' field
+//  - user must be a member of the board
+canUpdateBoardSort = function(userId, board, fieldNames) {
+  return !!userId && _.contains(fieldNames || [], 'sort') && allowIsBoardMember(userId, board);
+};