Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 BUG: Insufficient API Validation #1378

Open
1 task done
cr4shed opened this issue Aug 29, 2024 · 1 comment
Open
1 task done

🐛 BUG: Insufficient API Validation #1378

cr4shed opened this issue Aug 29, 2024 · 1 comment
Labels
Status: Accepted Type: Bug

Comments

@cr4shed
Copy link

cr4shed commented Aug 29, 2024
edited
Loading

What went wrong? 🤔

Insufficient API data validation can cause unexpected behavior. The following mutations seem to bypass some frontend validation:

  1. UpdateUserProfile accepts a bio string exceeding the frontend maximum of 100.
  2. UpdateUserProfile accepts an experienceLevel string with any text in it, regardless of whether it appears in the predefined dropdown list.
  3. UpdateUserProfile accepts name being null, subsequent updates to the profile with name null does trigger validation however and the request fails.
  4. UpdateUserProfile accepts any string for image and will attempt to retrieve whatever is entered. For instance I can make my image an external gif (which seems to be unsupported by the frontend). This may enable persistent CSRF or XSS attacks. It does seem however that the Squad image validation does only accept an upload and does not accept links.
  5. UpdateMemberRole allows admins to change their own role.
  6. generateDevCardV2 allows users to change their theme regardless of whether they meet the reputation requirements.

Expected Behavior

The below is what I expected when sending these mutations:

  1. API validates bio and fails when it exceeds 100 characters.
  2. API validates experienceLevel and fails if it is not a predefined value.
  3. API validates name and does not accept null.
  4. API validates image and only accepts an upload.
  5. API validates that [target]memberId != [sendingMemberId] or [targetMemberRole] != admin to prevent admins from changing roles for other admins.
    1. API validates reputation requirements for themes.

Steps to Reproduce Issue

I am going to omit the repro steps to prevent abuse but I am happy to explain further if necessary.

Solution Proposed

Ensure the API validates all user input, ideally at all levels (database, API, client).

Environment

No response

Browsers

No response

OS

No response

Version of daily.dev

No response

Additional Context

Bio, experience level, null name, legendary DevCard with 10 reputation, and gif for image can be observed at https://app.daily.dev/cr4shed. I also have a Squad with no admin which I achieved by changing my own role to moderator https://dly.to/MJBSxmuqRBp.

Code of Conduct

  • I follow the conditions of this project.
@cr4shed cr4shed changed the title 🐛 BUG: 🐛 BUG: Insufficient API Validation Aug 29, 2024
@idoshamun
Copy link
Member

Hi @cr4shed,

Thank you for this deep analysis, we're aware of that and will fix that soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Accepted Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rebelchris @idoshamun @cr4shed