Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 23:40:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix SECURITY ISSUE 2: Access to boards of any Orgs/Teams, and avatar permissions.

Browse source 
Thanks to Siam Thanat Hack (STH) !
This commit is contained in:
Lauri Ojansivu 2025-11-02 09:11:50 +02:00
parent e9a727301d
commit f26d582018
9 changed files with 347 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

1
server/lib/tests/index.js
View file

@ -1 +1,2 @@
import './utils.tests';
import './users.security.tests';

43
server/lib/tests/users.security.tests.js Normal file
View file

@ -0,0 +1,43 @@
/* eslint-env mocha */
import { expect } from 'chai';
import { isUserUpdateAllowed, hasForbiddenUserUpdateField } from '/models/users';
describe('users security', function() {
describe('isUserUpdateAllowed', function() {
it('allows username update', function() {
expect(isUserUpdateAllowed(['username'])).to.equal(true);
});
it('allows profile updates', function() {
expect(isUserUpdateAllowed(['profile.fullname'])).to.equal(true);
expect(isUserUpdateAllowed(['profile.avatarUrl', 'profile.language'])).to.equal(true);
});
it('denies other top-level fields', function() {
expect(isUserUpdateAllowed(['orgs'])).to.equal(false);
expect(isUserUpdateAllowed(['teams'])).to.equal(false);
expect(isUserUpdateAllowed(['loginDisabled'])).to.equal(false);
expect(isUserUpdateAllowed(['authenticationMethod'])).to.equal(false);
expect(isUserUpdateAllowed(['services'])).to.equal(false);
expect(isUserUpdateAllowed(['emails'])).to.equal(false);
expect(isUserUpdateAllowed(['isAdmin'])).to.equal(false);
});
});
describe('hasForbiddenUserUpdateField', function() {
it('flags forbidden sensitive fields', function() {
expect(hasForbiddenUserUpdateField(['orgs'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['teams'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['loginDisabled'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['authenticationMethod'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['services.facebook'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['emails.0.verified'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['roles'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['isAdmin'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['createdThroughApi'])).to.equal(true);
expect(hasForbiddenUserUpdateField(['sessionData.totalHits'])).to.equal(true);
});
it('does not flag allowed fields', function() {
expect(hasForbiddenUserUpdateField(['username'])).to.equal(false);
expect(hasForbiddenUserUpdateField(['profile.fullname'])).to.equal(false);
});
});
});