Description
A critical Mass Assignment vulnerability exists within the application's update endpoints for both Tasks (updateTask in taskController.js) and Routines (updateRoutine in routineController.js).
When updating a task or a routine, the backend directly takes the entire req.body object and passes it to Mongoose's $set operator. Because there is no input sanitization or whitelisting of modifiable fields, an attacker can arbitrarily inject and update sensitive database fields. Most critically, an attacker can overwrite the userId field, effectively transferring ownership of a task or routine to another user account (Insecure Direct Object Reference).
Steps to Reproduce
- Authenticate as User A and create a new task. Note the
_id of this task.
- Authenticate as User B and obtain User B's internal
userId from the database or API responses.
- As User A, send a
PUT or PATCH request to the update task endpoint (/api/tasks/:id) with the following payload:
{
"title": "Updated Title",
"userId": "<User_B_ID>"
}
Description
A critical Mass Assignment vulnerability exists within the application's update endpoints for both Tasks (
updateTaskintaskController.js) and Routines (updateRoutineinroutineController.js).When updating a task or a routine, the backend directly takes the entire
req.bodyobject and passes it to Mongoose's$setoperator. Because there is no input sanitization or whitelisting of modifiable fields, an attacker can arbitrarily inject and update sensitive database fields. Most critically, an attacker can overwrite theuserIdfield, effectively transferring ownership of a task or routine to another user account (Insecure Direct Object Reference).Steps to Reproduce
_idof this task.userIdfrom the database or API responses.PUTorPATCHrequest to the update task endpoint (/api/tasks/:id) with the following payload:{ "title": "Updated Title", "userId": "<User_B_ID>" }