Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pentest 31462 #1586

Open
wants to merge 48 commits into
base: develop
Choose a base branch
from
Open

Pentest 31462 #1586

wants to merge 48 commits into from
+11,838 −3,523

Conversation

anyoussefinia
Copy link
Collaborator

Story: https://jiraent.cms.gov/browse/OY2-32701
Endpoint: https://d1qcvu24747qjj.cloudfront.net/

Details

admin users can visit the /profile/encoded-email page for any user. non admin users can only view other users with matching territories.

Changes

Pentesters identified that any user can visit the /profile/encoded-email page for any other user. Fix to block users that don't have permissions.

Test Plan

  1. Log in as an admin user and see that you can visit any other user page regardless of matching territores.
  2. Log in as non-admin user and verify that you can see another non-admin user with some matching territory.
  3. verify that non-admin user cannot view other users (admin or non admin) that do not have matching territories.

@anyoussefinia
added x-id-token header to getProfile request
716b27a
@anyoussefinia
add backend check for allowed roles/terretories
e3ba2ba
@anyoussefinia
remove and reinstall node modules
7aac43d
@anyoussefinia
remove and reinstall node modules
e458d5c
@anyoussefinia
fix lint error
10b7634
@anyoussefinia
use previous version of jwt-decode 3.1.x
e956111
@anyoussefinia
modify token header to idToken
61ad41b
@anyoussefinia
modify token header to idToken
5691dfe
@anyoussefinia
attempt to modify getUser
135364b
@anyoussefinia
try adding idtoken to body
387a827
@anyoussefinia
change api method to post
68f61ae
@anyoussefinia
parse the user roles
c4b9677
@anyoussefinia
added getUserV2 api method
e0132f3
@anyoussefinia
remove unused imports
d9904a0
@anyoussefinia
resassign type
4483eea
@anyoussefinia
revert table name
1dfe65e
@anyoussefinia
add back serverless plugins
300d660
@anyoussefinia
add back serverless plugins
67cffa8
@anyoussefinia
modify import
d189f6d
@anyoussefinia
add check for if no userRoles/initial login
2ee3df6
@anyoussefinia
try double quoted string
6caf24e
@anyoussefinia
add back keyword custom
e475895
@anyoussefinia
bring in other pentest branch to test batch function
a10c404
@anyoussefinia
sync package-lock
fd7b87a
@anyoussefinia
added one more condition to if check
5d8d67f
@anyoussefinia
update if condition with one more check
a0b2d5f
@anyoussefinia
modify batch function with better logging
f7b3430
@anyoussefinia
wrap error with try catch for better logging
852a8b8
@anyoussefinia
fix property name to extract roles form decode auth token
e2b631a
@anyoussefinia
check matching roles correct .status
6f05cbb
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 6, 2025

Endpoint URL - https://d1qcvu24747qjj.cloudfront.net

@anyoussefinia
Copy link
Collaborator Author

screen-capture.16.webm

andieswift
andieswift requested changes Feb 7, 2025
View reviewed changes
Copy link
Collaborator

@andieswift andieswift left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getUserV2 is a confusing name, do you think you could either rename this file to match more of what you are doing or make this work part of getUser.js?

Also could you provide me with a user outside of MD so I can test if I can view them? I tried looking with the admin login but I still only see MD packages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andieswift andieswift andieswift requested changes

@Dark-Knight-1313 Dark-Knight-1313 Awaiting requested review from Dark-Knight-1313 Dark-Knight-1313 is a code owner

@kristin-at-theta kristin-at-theta Awaiting requested review from kristin-at-theta kristin-at-theta is a code owner

@bflynn-cms bflynn-cms Awaiting requested review from bflynn-cms bflynn-cms is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@anyoussefinia @andieswift