Unauthorized Access to Private Fields in User Registration API

System Details

Name	Value
OS	Windows 11
Version	4.11.1 (node v16.14.2)
Database	mysql

Description

I marked some fields as private fields in user content-type, and tried to register as a new user via api, at the same time I added content to fill the private fields and sent a post request, and as you can see from the images below, I can write to the private fields.

To prevent this, I went to the extension area and tried to extend the register method, for this I wanted to do it using the sanitizeInput function that I know in the source codes of the strap. But the sanitizeInput function did not filter out private fields.

  const { auth } = ctx.state;
  const data = ctx.request.body;
  const userSchema = strapi.getModel("plugin::users-permissions.user");

  sanitize.contentAPI.input(data, userSchema, { auth });

here's the solution I've temporarily kept to myself, code snippet

  const body = ctx.request.body;

  const { attributes } = strapi.getModel("plugin::users-permissions.user");

  const sanitizedData = _.omitBy(body, (data, key) => {
    const attribute = attributes[key];

    if (_.isNil(attribute)) {
      return false;
    }

    //? If you want, you can throw an error for fields that we did not expect.

    // if (_.isNil(attribute))
    //   throw new ApplicationError(`Unexpected value ${key}`);

    // if private value is true, we do not want to send it to the database.
    return attribute.private;
  });

  return sanitizedData;

References

alexandrebodin published to strapi/strapi Nov 3, 2023

Published to the GitHub Advisory Database Nov 3, 2023

Reviewed Nov 3, 2023

Published by the National Vulnerability Database Nov 6, 2023

Last updated Nov 6, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

System Details

Description

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits