geli-lms/geli

๐Ÿ› BUG: NotificationController vulnerabilities

torss opened this issue ยท 0 comments

torss commented

There are various problems in the NotificationController, including vulnerabilities:

  • {post} /api/notification/ (createNotifications) and {post} /api/notification/user/:id (createNotificationForStudent) don't check that teachers are actually authorized to send notifications for the requested course.
  • {post} /api/notification/ & {post} /api/notification/user/:id unnecessarily send non-empty success responses.
  • {get} /api/notification/user/:id (getNotifications) allows any user to read the notifications of any other user, since one can request an arbitrary id.
  • {get} /api/notification/user/:id uses notification.toObject as part of the success response, but the toObject method doesn't properly sanitize the contained data.
  • {delete} /api/notification/:id also seems to leak data similar to {get} /api/notification/user/:id, but it probably could just return an empty success response anyway.

Acceptance criteria:

  • Write a fitting access denial unit test for {post} /api/notification/.
  • Write a fitting access denial unit test for {post} /api/notification/user/:id.
  • Secure {post} /api/notification/ by checking teacher course ("edit-level") authorization.
  • Secure {post} /api/notification/user/:id by checking teacher course ("edit-level") authorization.
  • Send empty success response in {post} /api/notification/.
  • Send empty success response in {post} /api/notification/user/:id.
  • Secure {get} /api/notification/user/:id by using the @CurrentUser instead of allowing arbitrary id requests (if this change is possible; else check for authorization as required).
  • Secure {get} /api/notification/user/:id by sanitizing the response properly, i.e. at least without data leaks.
  • Secure {delete} /api/notification/:id by sending an empty success response (if this change is possible; else the response should be sanitized similarly to {get} /api/notification/user/:id).
  • Move the error messages to the errorCodes file.
  • Add/improve 404 error handling in the routes.
  • Refactor {post} /api/notification/ & {post} /api/notification/user/:id so that the requests ever only specify either the changed course, lecture or unit. This will also require adjustments in the front-end.

Additional info:

These problems were discovered during the recent #853 audits, see NotificationController.