fix(users): don't update secure profile fields (#1421)

* Fix(users): Don't update secure profile fields Avoid updating secure fields as password, salt ..etc through user profile update. Fixes #1420 * Refactor variable name
meanjs · Aug 27, 2016 · 730cca7 · 730cca7
1 parent 2f394ec
commit 730cca7
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 8 deletions.
diff --git a/modules/users/server/controllers/users/users.profile.server.controller.js b/modules/users/server/controllers/users/users.profile.server.controller.js
@@ -12,22 +12,19 @@ var _ = require('lodash'),
   config = require(path.resolve('./config/config')),
   User = mongoose.model('User');
 
+var whitelistedFields = ['firstName', 'lastName', 'email', 'username'];
+
 /**
  * Update user details
  */
 exports.update = function (req, res) {
   // Init Variables
   var user = req.user;
 
-  // For security measurement we remove the roles from the req.body object
-  delete req.body.roles;
-
-  // For security measurement do not use _id from the req.body object
-  delete req.body._id;
-
   if (user) {
-    // Merge existing user
-    user = _.extend(user, req.body);
+    // Update whitelisted fields only
+    user = _.extend(user, _.pick(req.body, whitelistedFields));
+
     user.updated = Date.now();
     user.displayName = user.firstName + ' ' + user.lastName;
 

diff --git a/modules/users/tests/server/user.server.routes.tests.js b/modules/users/tests/server/user.server.routes.tests.js
@@ -807,6 +807,54 @@ describe('User CRUD tests', function () {
     });
   });
 
+  it('should not be able to update secure fields', function (done) {
+    var resetPasswordToken = 'password-reset-token';
+    user.resetPasswordToken = resetPasswordToken;
+
+    user.save(function (saveErr) {
+      if (saveErr) {
+        return done(saveErr);
+      }
+      agent.post('/api/auth/signin')
+        .send(credentials)
+        .expect(200)
+        .end(function (signinErr, signinRes) {
+          // Handle signin error
+          if (signinErr) {
+            return done(signinErr);
+          }
+          var userUpdate = {
+            password: 'Aw3$0m3P@ssWord',
+            salt: 'newsaltphrase',
+            created: new Date(2000, 9, 9),
+            resetPasswordToken: 'tweeked-reset-token'
+          };
+
+          // Get own user details
+          agent.put('/api/users')
+            .send(userUpdate)
+            .expect(200)
+            .end(function (err, res) {
+              if (err) {
+                return done(err);
+              }
+
+              User.findById(user._id, function (dbErr, updatedUser) {
+                if (dbErr) {
+                  return done(dbErr);
+                }
+
+                updatedUser.password.should.be.equal(user.password);
+                updatedUser.salt.should.be.equal(user.salt);
+                updatedUser.created.getTime().should.be.equal(user.created.getTime());
+                updatedUser.resetPasswordToken.should.be.equal(resetPasswordToken);
+                done();
+              });
+            });
+        });
+    });
+  });
+
   it('should not be able to update own user details if not logged-in', function (done) {
     user.roles = ['user'];