[BUG] Fixed mass_assignment vuln (#566)

Fixed mass_assignment vuln Co-authored-by: dastaj <78434825+dastaj@users.noreply.github.com>
Mintplex-Labs · Jan 10, 2024 · 8cd3a92 · 8cd3a92
1 parent 259079a
commit 8cd3a92
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/server/endpoints/invite.js b/server/endpoints/invite.js
@@ -33,7 +33,7 @@ function inviteEndpoints(app) {
   app.post("/invite/:code", async (request, response) => {
     try {
       const { code } = request.params;
-      const userParams = reqBody(request);
+      const { username, password } = reqBody(request);
       const invite = await Invite.get({ code });
       if (!invite || invite.status !== "pending") {
         response
@@ -42,7 +42,11 @@ function inviteEndpoints(app) {
         return;
       }
 
-      const { user, error } = await User.create(userParams);
+      const { user, error } = await User.create(({
+        username,
+        password,
+        role: "default",
+      }));
       if (!user) {
         console.error("Accepting invite:", error);
         response