From effeb6c809dee4bff14a079d6d9627824573225e Mon Sep 17 00:00:00 2001
From: mntmn <lukas@mntmn.com>
Date: Mon, 11 May 2020 18:28:12 +0200
Subject: [PATCH] security: prevent leak of creator information in space
 responses; ensure home folder id is set when creating space

---
 models/db.js         | 11 +++++++++++
 routes/api/spaces.js | 10 +++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/models/db.js b/models/db.js
index a0d2950..a803473 100644
--- a/models/db.js
+++ b/models/db.js
@@ -51,6 +51,17 @@ module.exports = {
     updated_at: {type: Sequelize.DATE, defaultValue: Sequelize.NOW}
   }),
 
+  CreatorSafeInclude: function(db) {
+    return {
+      model: this.User,
+      as: 'creator',
+      attributes: ['_id','email','nickname',
+                   'avatar_original_uri',
+                   'avatar_thumb_uri',
+                   'created_at','updated_at']
+    };
+  },
+
   Session: sequelize.define('session', {
     token: {type: Sequelize.STRING, primaryKey: true},
     user_id: Sequelize.STRING,
diff --git a/routes/api/spaces.js b/routes/api/spaces.js
index ea41d3c..a74c22d 100644
--- a/routes/api/spaces.js
+++ b/routes/api/spaces.js
@@ -71,7 +71,7 @@ router.get('/', function(req, res, next) {
                    {"_id": {[Op.in]: spaceIds}},
                    {"parent_space_id": {[Op.in]: spaceIds}}],
           name: {[Op.like]: "%"+req.query.search+"%"}
-        }, include: ['creator']};
+        }, include: [db.CreatorSafeInclude(db)]};
 
         db.Space
           .findAll(q)
@@ -87,7 +87,6 @@ router.get('/', function(req, res, next) {
         .findOne({where: {
           _id: req.query.parent_space_id
         }})
-        //.populate('creator', userMapping)
         .then(function(space) {
           if (space) {
             db.getUserRoleInSpace(space, req.user, function(role) {
@@ -101,7 +100,7 @@ router.get('/', function(req, res, next) {
                 db.Space
                   .findAll({where:{
                     parent_space_id: req.query.parent_space_id
-                  }, include:['creator']})
+                  }, include:[db.CreatorSafeInclude(db)]})
                   .then(function(spaces) {
                     res.status(200).json(spaces);
                   });
@@ -147,7 +146,7 @@ router.get('/', function(req, res, next) {
         };
 
         db.Space
-          .findAll({where: q, include: ['creator']})
+          .findAll({where: q, include: [db.CreatorSafeInclude(db)]})
           .then(function(spaces) {
             var updatedSpaces = spaces.map(function(s) {
               var spaceObj = db.spaceToObject(s);
@@ -169,7 +168,7 @@ router.post('/', function(req, res, next) {
       attrs._id = uuidv4();
       attrs.creator_id = req.user._id;
       attrs.edit_hash = crypto.randomBytes(64).toString('hex').substring(0, 7);
-      attrs.edit_slug = slug(attrs.name);
+      attrs.edit_slug = attrs.edit_slug || slug(attrs.name);
       attrs.access_mode = "private";
       
       db.Space.create(attrs).then(createdSpace => {
@@ -211,6 +210,7 @@ router.post('/', function(req, res, next) {
         }
       });
     } else {
+      attrs.parent_space_id = req.user.home_folder_id;
       createSpace();
     }
 
-- 
GitLab