Security: Users.update and other routes should have whitelisted parameters to be updated #882

BradHN1 · 2024-01-15T13:56:27Z

Describe the bug
In testing for security flaws, George Hughey determined that a malicious user could update parameters in the UserProfile model, which in some cases caused a community site not to load. In his particular case he updated a user_type parameter to be a non-valid json string, which when not intermpreted properly caused the canary site not to load. He suggested whitelisting just those parameters that the frontend needs to be able to set.

The same consideration applies to other .update routes for Community, Team, etc.

BradHN1 added bug Something isn't working API API labels Jan 15, 2024

BradHN1 added this to MassEnergize Software Jan 15, 2024

BradHN1 moved this to Product Backlog in MassEnergize Software Jan 15, 2024

BradHN1 mentioned this issue Jan 15, 2024

Update setting of JSONField parameters to check valid JSON string format #883

Open

BradHN1 moved this from Product Backlog to Sprint Backlog in MassEnergize Software Jan 25, 2024

apowelka moved this from Sprint Backlog to Product Backlog in MassEnergize Software Mar 4, 2024

abdullai-t removed the status in MassEnergize Software Jul 15, 2024

vschiniah self-assigned this Jul 19, 2024

vschiniah moved this to Product Backlog in MassEnergize Software Jul 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Users.update and other routes should have whitelisted parameters to be updated #882

Security: Users.update and other routes should have whitelisted parameters to be updated #882

BradHN1 commented Jan 15, 2024

Security: Users.update and other routes should have whitelisted parameters to be updated #882

Security: Users.update and other routes should have whitelisted parameters to be updated #882

Comments

BradHN1 commented Jan 15, 2024