SECURITY: Deny modification of flags using REST API

Authorization bypass by user-controlled key in SpecificApps REST API in ScratchOAuth2 allows app owners to set flags that indicate whether an app is verified on their own apps.
ScratchVerifier · Apr 12, 2021 · d856dc7 · d856dc7
1 parent a91879b
commit d856dc7
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/includes/api/SpecificApps.php b/includes/api/SpecificApps.php
@@ -38,6 +38,8 @@ private function patch( int $client_id, int $owner_id ) {
 		$data = $this->getRequest()->getBody()->getContents();
 		$data = json_decode($data, true);
 		if (!$data) return $this->http400();
+		// Users may not modify flags, thus 403
+		if (array_key_exists('flags', $data)) return $this->getResponseFactory()->createHttpError(403);
 		if (
 			array_key_exists('reset_secret', $data)
 			&& !is_bool($data['reset_secret'])