Merge pull request #1162 from CVEProject/jd-1159

#1159 Prevents possible toString override
CVEProject · Jan 10, 2024 · 6332611 · 6332611
2 parents eb5bec4 + ceab24d
commit 6332611
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js
@@ -558,6 +558,7 @@ router.post('/org/:shortname/user',
   body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH),
   body(['authority.active_roles']).optional()
     .custom(mw.isFlatStringArray)
+    .bail()
     .customSanitizer(toUpperCaseArray)
     .custom(isUserRole),
   parseError,
@@ -732,6 +733,7 @@ router.put('/org/:shortname/user/:username',
   query(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH),
   query(['active_roles.add']).optional().toArray()
     .custom(isFlatStringArray)
+    .bail()
     .customSanitizer(toUpperCaseArray)
     .custom(isUserRole).withMessage(errorMsgs.USER_ROLES),
   query(['active_roles.remove']).optional().toArray()