From 99b4531e3bbc3a10cc0c25dd2eb2c9df24b02d15 Mon Sep 17 00:00:00 2001 From: dastaj <78434825+dastaj@users.noreply.github.com> Date: Wed, 10 Jan 2024 17:00:43 +0100 Subject: [PATCH] Fixed mass_assignment vuln --- server/endpoints/invite.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/server/endpoints/invite.js b/server/endpoints/invite.js index 08f9a14e9a..c5c344510f 100644 --- a/server/endpoints/invite.js +++ b/server/endpoints/invite.js @@ -33,7 +33,7 @@ function inviteEndpoints(app) { app.post("/invite/:code", async (request, response) => { try { const { code } = request.params; - const userParams = reqBody(request); + const { username, password } = reqBody(request); const invite = await Invite.get({ code }); if (!invite || invite.status !== "pending") { response @@ -42,7 +42,11 @@ function inviteEndpoints(app) { return; } - const { user, error } = await User.create(userParams); + const { user, error } = await User.create(({ + username, + password, + role: "default", + })); if (!user) { console.error("Accepting invite:", error); response