security: prevent leak of creator information in space responses; ensure home folder id is set when creating space

2025-12-15 17:37:30 +01:00 · 2020-05-11 18:28:12 +02:00
parent 3a65560a3b
commit 078634ee52
2 changed files with 16 additions and 5 deletions
--- a/models/db.js
+++ b/models/db.js
@@ -51,6 +51,17 @@ module.exports = {
    updated_at: {type: Sequelize.DATE, defaultValue: Sequelize.NOW}
  }),

+  CreatorSafeInclude: function(db) {
+    return {
+      model: this.User,
+      as: 'creator',
+      attributes: ['_id','email','nickname',
+                   'avatar_original_uri',
+                   'avatar_thumb_uri',
+                   'created_at','updated_at']
+    };
+  },
+
  Session: sequelize.define('session', {
    token: {type: Sequelize.STRING, primaryKey: true},
    user_id: Sequelize.STRING,
--- a/routes/api/spaces.js
+++ b/routes/api/spaces.js
@@ -71,7 +71,7 @@ router.get('/', function(req, res, next) {
                   {"_id": {[Op.in]: spaceIds}},
                   {"parent_space_id": {[Op.in]: spaceIds}}],
          name: {[Op.like]: "%"+req.query.search+"%"}
-        }, include: ['creator']};
+        }, include: [db.CreatorSafeInclude(db)]};

        db.Space
          .findAll(q)
@@ -87,7 +87,6 @@ router.get('/', function(req, res, next) {
        .findOne({where: {
          _id: req.query.parent_space_id
        }})
-        //.populate('creator', userMapping)
        .then(function(space) {
          if (space) {
            db.getUserRoleInSpace(space, req.user, function(role) {
@@ -101,7 +100,7 @@ router.get('/', function(req, res, next) {
                db.Space
                  .findAll({where:{
                    parent_space_id: req.query.parent_space_id
-                  }, include:['creator']})
+                  }, include:[db.CreatorSafeInclude(db)]})
                  .then(function(spaces) {
                    res.status(200).json(spaces);
                  });
@@ -147,7 +146,7 @@ router.get('/', function(req, res, next) {
        };

        db.Space
-          .findAll({where: q, include: ['creator']})
+          .findAll({where: q, include: [db.CreatorSafeInclude(db)]})
          .then(function(spaces) {
            var updatedSpaces = spaces.map(function(s) {
              var spaceObj = db.spaceToObject(s);
@@ -169,7 +168,7 @@ router.post('/', function(req, res, next) {
      attrs._id = uuidv4();
      attrs.creator_id = req.user._id;
      attrs.edit_hash = crypto.randomBytes(64).toString('hex').substring(0, 7);
-      attrs.edit_slug = slug(attrs.name);
+      attrs.edit_slug = attrs.edit_slug || slug(attrs.name);
      attrs.access_mode = "private";
      
      db.Space.create(attrs).then(createdSpace => {
@@ -211,6 +210,7 @@ router.post('/', function(req, res, next) {
        }
      });
    } else {
+      attrs.parent_space_id = req.user.home_folder_id;
      createSpace();
    }