From cae06a0fb4f8f23546c02ab349e2b838f7a62e31 Mon Sep 17 00:00:00 2001 From: Tamir Gershberg <47638346+tamirGer@users.noreply.github.com> Date: Sat, 23 Dec 2023 12:31:31 +0200 Subject: [PATCH] feat(excessive data exposure): add user phone number on `/api/users/one/:email` (#295) --- README.md | 4 +++- src/users/api/UserDto.ts | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5781a354..d91edb7b 100644 --- a/README.md +++ b/README.md @@ -135,4 +135,6 @@ Additionally, the endpoint PUT /api/users/one/{email}/photo accepts SVG images, * **Broken Function Level Authorization** - The endpoint DELETE `/users/one/:id/photo?isAdmin=` can be used to delete any user's profile photo by enumerating the user IDs and setting the `isAdmin` query parameter to true, as there is no validation of it's value on the server side. -* **IFrame Injection** - The `/testimonials` page a URL parameter `videosrc` which directly controls the src attribute of the IFrame at the bottom of this page. Similarly, the home page takes a URL param `maptitle` which directly controls the `title` attribute of the IFrame at the CONTACT section of this page. \ No newline at end of file +* **IFrame Injection** - The `/testimonials` page a URL parameter `videosrc` which directly controls the src attribute of the IFrame at the bottom of this page. Similarly, the home page takes a URL param `maptitle` which directly controls the `title` attribute of the IFrame at the CONTACT section of this page. + +* **Excessive Data Exposure** - The `/api/users/one/:email` is supposed to expose only basic user information required to be displayed on the UI, but it also returns the user's phone number which is unnecessary information. \ No newline at end of file diff --git a/src/users/api/UserDto.ts b/src/users/api/UserDto.ts index 1d7fd74c..b786d8ed 100644 --- a/src/users/api/UserDto.ts +++ b/src/users/api/UserDto.ts @@ -29,7 +29,7 @@ export class UserDto { @ApiProperty({ example: '4263982640269299' }) cardNumber: string; - @Expose({ groups: [FULL_USER_INFO] }) + @Expose({ groups: [BASIC_USER_INFO, FULL_USER_INFO] }) @ApiProperty({ example: '12065550100' }) phoneNumber: string;