Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix bug when passing an unrelated boxer id as a voteId to POST /api/votes/<combatId> endpoint #947

Merged
merged 1 commit into from
May 6, 2024
Merged

Fix bug when passing an unrelated boxer id as a voteId to POST /api/votes/<combatId> endpoint #947

merged 1 commit into from
May 6, 2024

Conversation

pjmartorell
Copy link
Contributor

@pjmartorell pjmartorell commented May 6, 2024
edited
Loading

Descripción

A malicious user could do a call to POST /api/votes/<combatId> endpoint passing an arbitrary boxer id, i.e voting guanyar in 1-agustin-51-vs-carreraaa combat.
To mitigate this issue, we can implement filtering on the voteId from combat boxers' IDs. This would prevent the submission or voting of any arbitrary boxer ID that isn't associated with the specified combat.

Problema solucionado

Fix bug when passing an unrelated boxer id as a voteId to POST /api/votes/<combatId> endpoint.

Cambios propuestos

Filter voteId from combat boxers ids to prevent passing or voting an arbitrary boxer id not related to the given combat

Capturas de pantalla (si corresponde)

Comprobación de cambios

  • He revisado que no haya ninguna PR (pull request) ya abierta con un problema similar, siguiendo el apartado de buenas prácticas
  • He revisado localmente los cambios para asegurarme de que no haya errores ni problemas.
  • He probado estos cambios en múltiples dispositivos y navegadores para asegurarme de que la landing page se vea y funcione correctamente.
  • He actualizado la documentación, si corresponde.

Impacto potencial

Contexto adicional

Enlaces útiles

  • Documentación del proyecto:
  • Código de referencia:

@pjmartorell
Fix bug when passing an unrelated boxer id as a voteId to `POST /api/…
7f95eaf 
…votes/<combatId>` endpoint

Filter voteId from combat boxers ids to prevent passing or voting an arbitrary boxer id not related to the given combat
@vercel Vercel
Copy link

vercel bot commented May 6, 2024

@pjmartorell is attempting to deploy a commit to the midudev pro Team on Vercel.

A member of the Team first needs to authorize it.

@midudev midudev merged commit 358f0de into midudev:main May 6, 2024
1 check failed
@pjmartorell pjmartorell mentioned this pull request May 8, 2024
Closed
2 tasks
@AlejandroSuero AlejandroSuero mentioned this pull request May 8, 2024
Merged
4 tasks
@pjmartorell pjmartorell deleted the fix/voting-arbitrary-boxer branch May 13, 2024 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pjmartorell @midudev