fix(herowars): replace Object.assign with explicit field whitelists

Mass assignment via Object.assign(entity, req.body) allowed callers
to overwrite protected fields (id, author). Updates are now restricted
to explicitly listed data fields on both Clan and Member.
This commit is contained in:
2026-04-26 20:42:29 +02:00
parent 98847b31e7
commit f293d35455
2 changed files with 8 additions and 2 deletions
+4 -1
View File
@@ -98,7 +98,10 @@ module.exports.updateClan = asyncHandler(async (req, res, next) => {
if (req.payload.id !== clan.author.id) { if (req.payload.id !== clan.author.id) {
return next(new ErrorResponse("Unauthorized", 401, "Authentication required.")); return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
} }
Object.assign(clan, req.body.clan); const UPDATABLE_FIELDS = ['country', 'description', 'disbanding', 'frameId', 'flag', 'level', 'membersCount', 'minLevel', 'ownerId', 'serverId', 'title', 'topActivity', 'topDungeon'];
UPDATABLE_FIELDS.forEach(field => {
if (typeof req.body.clan[field] !== 'undefined') clan[field] = req.body.clan[field];
});
let data = await ClanService.updateClan(clan); let data = await ClanService.updateClan(clan);
res.status(200).json({ res.status(200).json({
message: 'Clan updated successfully.', message: 'Clan updated successfully.',
+4 -1
View File
@@ -96,7 +96,10 @@ module.exports.updateMember = asyncHandler(async (req, res, next) => {
if (req.payload.id !== member.author.id) { if (req.payload.id !== member.author.id) {
return next(new ErrorResponse("Unauthorized", 401, "Authentication required.")); return next(new ErrorResponse("Unauthorized", 401, "Authentication required."));
} }
Object.assign(member, req.body.member); const UPDATABLE_FIELDS = ['name', 'lastLoginTime', 'serverId', 'level', 'clanId', 'clanRole', 'commander', 'avatarId', 'isChatModerator', 'frameId', 'leagueId', 'clanTitle', 'champion', 'stats', 'membership', 'adventureSum', 'clanGiftsSum', 'clanWarSum', 'history', 'score', 'scoreGifts', 'warGifts', 'rewards'];
UPDATABLE_FIELDS.forEach(field => {
if (typeof req.body.member[field] !== 'undefined') member[field] = req.body.member[field];
});
let data = await MemberService.updateMember(member); let data = await MemberService.updateMember(member);
res.status(200).json({ res.status(200).json({