Hotfix: Fixing Security Issues (#2848)

* Fixing Privilege Escalation

* Fixing critical obj ref in availability

* Fixing reschedule security issue

Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
Co-authored-by: Peer Richelsen <peeroke@gmail.com>
This commit is contained in:
Leo Giovanetti
2022-05-23 08:29:29 -03:00
committed by GitHub
parent 27422c351c
commit 38f23986ad
3 changed files with 20 additions and 0 deletions

View File

@@ -91,6 +91,8 @@ const handler = async (
},
});
if (bookingToReschedule.userId !== userOwner.id) throw new Error("UNAUTHORIZED");
if (bookingToReschedule && userOwner) {
let event: Partial<EventType> = {};
if (bookingToReschedule.eventTypeId) {

View File

@@ -143,6 +143,17 @@ export const availabilityRouter = createProtectedRouter()
async resolve({ input, ctx }) {
const { user, prisma } = ctx;
const scheduleToDelete = await prisma.schedule.findFirst({
where: {
id: input.scheduleId,
},
select: {
userId: true,
},
});
if (scheduleToDelete?.userId !== user.id) throw new TRPCError({ code: "UNAUTHORIZED" });
if (user.defaultScheduleId === input.scheduleId) {
// unset default
await prisma.user.update({
@@ -197,8 +208,13 @@ export const availabilityRouter = createProtectedRouter()
where: {
id: input.scheduleId,
},
select: {
userId: true,
},
});
if (userSchedule?.userId !== user.id) throw new TRPCError({ code: "UNAUTHORIZED" });
if (!userSchedule || userSchedule.userId !== user.id) {
throw new TRPCError({
code: "UNAUTHORIZED",

View File

@@ -201,6 +201,8 @@ export const viewerTeamsRouter = createProtectedRouter()
}),
async resolve({ ctx, input }) {
if (!(await isTeamAdmin(ctx.user?.id, input.teamId))) throw new TRPCError({ code: "UNAUTHORIZED" });
if (input.role === MembershipRole.OWNER && !(await isTeamOwner(ctx.user?.id, input.teamId)))
throw new TRPCError({ code: "UNAUTHORIZED" });
const translation = await getTranslation(input.language ?? "en", "common");