From 9d419b400f0637b10e5c235b8fd5bac0d69352bd Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 3 Sep 2024 16:03:47 +0200 Subject: [PATCH] fix: user sanitization should clean up email change info too (#1759) The `sanitizeUser` function did not cleanup the **EmailChange** and **EmailChangeSentAt** properties on a User. If a User had a pending email address change, the new address could be leaked via a crafted `signUp` request. --- internal/api/signup.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/api/signup.go b/internal/api/signup.go index 22ac7dc02..1c74da6b6 100644 --- a/internal/api/signup.go +++ b/internal/api/signup.go @@ -336,9 +336,9 @@ func sanitizeUser(u *models.User, params *SignupParams) (*models.User, error) { u.ID = uuid.Must(uuid.NewV4()) - u.Role = "" + u.Role, u.EmailChange = "", "" u.CreatedAt, u.UpdatedAt, u.ConfirmationSentAt = now, now, &now - u.LastSignInAt, u.ConfirmedAt, u.EmailConfirmedAt, u.PhoneConfirmedAt = nil, nil, nil, nil + u.LastSignInAt, u.ConfirmedAt, u.EmailChangeSentAt, u.EmailConfirmedAt, u.PhoneConfirmedAt = nil, nil, nil, nil, nil u.Identities = make([]models.Identity, 0) u.UserMetaData = params.Data u.Aud = params.Aud