Skip to content

Unauthorized Access to Private Fields in User Registration API

High
alexandrebodin published GHSA-gc7p-j5xm-xxh2 Nov 3, 2023

Package

npm @strapi/plugin-users-permissions (npm)

Affected versions

4.0.0

Patched versions

4.13.1
npm @strapi/strapi (npm)
4.0.0
4.13.1

Description

System Details

Name Value
OS Windows 11
Version 4.11.1 (node v16.14.2)
Database mysql

Description

I marked some fields as private fields in user content-type, and tried to register as a new user via api, at the same time I added content to fill the private fields and sent a post request, and as you can see from the images below, I can write to the private fields.

register

user

private_field

table

To prevent this, I went to the extension area and tried to extend the register method, for this I wanted to do it using the sanitizeInput function that I know in the source codes of the strap. But the sanitizeInput function did not filter out private fields.

  const { auth } = ctx.state;
  const data = ctx.request.body;
  const userSchema = strapi.getModel("plugin::users-permissions.user");

  sanitize.contentAPI.input(data, userSchema, { auth });

here's the solution I've temporarily kept to myself, code snippet

  const body = ctx.request.body;

  const { attributes } = strapi.getModel("plugin::users-permissions.user");

  const sanitizedData = _.omitBy(body, (data, key) => {
    const attribute = attributes[key];

    if (_.isNil(attribute)) {
      return false;
    }

    //? If you want, you can throw an error for fields that we did not expect.

    // if (_.isNil(attribute))
    //   throw new ApplicationError(`Unexpected value ${key}`);

    // if private value is true, we do not want to send it to the database.
    return attribute.private;
  });

  return sanitizedData;

Severity

High
7.6
/ 10

CVSS base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CVE ID

CVE-2023-39345

Weaknesses

No CWEs

Credits