geli-lms/geli

๐Ÿ› BUG: NotificationSettingsController vulnerabilities

torss opened this issue ยท 0 comments

torss commented

There are various problems in all three of the NotificationSettingsController routes, including vulnerabilities:

  • {get} /api/notificationSettings/user/:id doesn't check whether the @CurrentUser is actually authorized to obtain the notification settings for the given arbitrary user ID.
  • {put} /api/notificationSettings/user/:id doesn't check that the notification settings ID actually belongs to the @CurrentUser, thus any user could override someone else's settings.
  • All three routes respond with settings.toObject(), but the toObject method isn't sanitizing the data and thus also leaks the contained user & course.

Acceptance criteria:

  • Write a fitting access denial unit test for {get} /api/notificationSettings/user/:id. (Obviated by using the@CurrentUser to replace the arbitray ID parameter.)
  • Write a fitting access denial unit test for {put} /api/notificationSettings/user/:id. (Obviated by simplifying the request parameters so far that they are inherently secure; added a course.checkPrivileges and unit test anyway.)
  • Change the routes to use the @CurrentUser, if arbitrary ID input isn't needed by the front-end.
  • Send empty success response in the {put} /api/notificationSettings/user/:id & {post} /api/notificationSettings/ route (unless the response is actually used anywhere in the front-end).
  • Sanitize the {get} /api/notificationSettings/user/:id route response, i.e. replace the toObject stuff with something safe
  • Secure {get} /api/notificationSettings/user/:id route.
  • Secure {put} /api/notificationSettings/user/:id route.
  • {put} /api/notificationSettings/user/:id & {post} /api/notificationSettings/ could be combined, so that here is only a single PUT route to set the notification settings.
  • Move the error messages to the errorCodes file. (Obviated by eliminating the custom errors altogether.)
  • Add/improve 404 error handling in the routes.
  • Adjust front-end code re. the parameters if necessary.

Additional info:

These problems were discovered during the recent #853 audits, see NotificationSettingsController.