Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mass assignment vulnerabilites and refactoring of photos

Browse Source
This commit is contained in:
jackiettran
2025-12-12 13:57:44 -05:00
parent 1dee5232a0
commit 25bbf5d20b
5 changed files with 79 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
backend/routes/users.js
View File

@@ -23,6 +23,18 @@ const ALLOWED_PROFILE_FIELDS = [
'itemRequestNotificationRadius',
];
// Allowed fields for user address create/update (prevents mass assignment)
const ALLOWED_ADDRESS_FIELDS = [
'address1',
'address2',
'city',
'state',
'zipCode',
'country',
'latitude',
'longitude',
];
/**
* Extract only allowed fields from request body
*/
@@ -36,6 +48,19 @@ function extractAllowedProfileFields(body) {
return result;
}
/**
* Extract only allowed address fields from request body
*/
function extractAllowedAddressFields(body) {
const result = {};
for (const field of ALLOWED_ADDRESS_FIELDS) {
if (body[field] !== undefined) {
result[field] = body[field];
}
}
return result;
}
router.get('/profile', authenticateToken, async (req, res, next) => {
try {
const user = await User.findByPk(req.user.id, {
@@ -86,7 +111,9 @@ router.get('/addresses', authenticateToken, async (req, res, next) => {
router.post('/addresses', authenticateToken, async (req, res, next) => {
try {
const address = await userService.createUserAddress(req.user.id, req.body);
// Extract only allowed fields (prevents mass assignment)
const allowedData = extractAllowedAddressFields(req.body);
const address = await userService.createUserAddress(req.user.id, allowedData);
res.status(201).json(address);
} catch (error) {
@@ -103,7 +130,9 @@ router.post('/addresses', authenticateToken, async (req, res, next) => {
router.put('/addresses/:id', authenticateToken, async (req, res, next) => {
try {
const address = await userService.updateUserAddress(req.user.id, req.params.id, req.body);
// Extract only allowed fields (prevents mass assignment)
const allowedData = extractAllowedAddressFields(req.body);
const address = await userService.updateUserAddress(req.user.id, req.params.id, allowedData);
res.json(address);
} catch (error) {