Hotfix: Fixing Security Issues (#2848)

* Fixing Privilege Escalation * Fixing critical obj ref in availability * Fixing reschedule security issue Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Co-authored-by: Peer Richelsen <peeroke@gmail.com>
2022-05-23 08:29:29 -03:00
parent 27422c351c
commit 38f23986ad
3 changed files with 20 additions and 0 deletions
--- a/apps/web/pages/api/book/request-reschedule.ts
+++ b/apps/web/pages/api/book/request-reschedule.ts
@@ -91,6 +91,8 @@ const handler = async (
      },
    });

+    if (bookingToReschedule.userId !== userOwner.id) throw new Error("UNAUTHORIZED");
+
    if (bookingToReschedule && userOwner) {
      let event: Partial<EventType> = {};
      if (bookingToReschedule.eventTypeId) {
--- a/apps/web/server/routers/viewer/availability.tsx
+++ b/apps/web/server/routers/viewer/availability.tsx
@@ -143,6 +143,17 @@ export const availabilityRouter = createProtectedRouter()
    async resolve({ input, ctx }) {
      const { user, prisma } = ctx;

+      const scheduleToDelete = await prisma.schedule.findFirst({
+        where: {
+          id: input.scheduleId,
+        },
+        select: {
+          userId: true,
+        },
+      });
+
+      if (scheduleToDelete?.userId !== user.id) throw new TRPCError({ code: "UNAUTHORIZED" });
+
      if (user.defaultScheduleId === input.scheduleId) {
        // unset default
        await prisma.user.update({
@@ -197,8 +208,13 @@ export const availabilityRouter = createProtectedRouter()
        where: {
          id: input.scheduleId,
        },
+        select: {
+          userId: true,
+        },
      });

+      if (userSchedule?.userId !== user.id) throw new TRPCError({ code: "UNAUTHORIZED" });
+
      if (!userSchedule || userSchedule.userId !== user.id) {
        throw new TRPCError({
          code: "UNAUTHORIZED",
--- a/apps/web/server/routers/viewer/teams.tsx
+++ b/apps/web/server/routers/viewer/teams.tsx
@@ -201,6 +201,8 @@ export const viewerTeamsRouter = createProtectedRouter()
    }),
    async resolve({ ctx, input }) {
      if (!(await isTeamAdmin(ctx.user?.id, input.teamId))) throw new TRPCError({ code: "UNAUTHORIZED" });
+      if (input.role === MembershipRole.OWNER && !(await isTeamOwner(ctx.user?.id, input.teamId)))
+        throw new TRPCError({ code: "UNAUTHORIZED" });

      const translation = await getTranslation(input.language ?? "en", "common");