Headline
CVE-2022-3019: fix: hide user data from comments module · ToolJet/ToolJet@45e0d33
The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id’s might also be an option but I wouldn’t count on it, since it would take a long time to find a valid one).
@@ -6,7 +6,7 @@ import { CommentRepository } from '…/repositories/comment.repository’; import { CreateCommentDto, UpdateCommentDto } from '…/dto/comment.dto’; import { groupBy, head } from 'lodash’; import { EmailService } from './email.service’; import { Repository } from 'typeorm’; import { createQueryBuilder, Repository } from 'typeorm’; import { AppVersion } from 'src/entities/app_version.entity’; import { User } from 'src/entities/user.entity’; import { CommentUsers } from 'src/entities/comment_user.entity’; @@ -23,7 +23,7 @@ export class CommentService { @InjectRepository(CommentUsers) private commentUsersRepository: Repository<CommentUsers>, private emailService: EmailService ) {} ) { }
public async createComment(createCommentDto: CreateCommentDto, user: User): Promise<Comment> { try { @@ -64,15 +64,17 @@ export class CommentService { }
public async getComments(threadId: string, appVersionsId: string): Promise<Comment[]> { return await this.commentRepository.find({ where: { return await createQueryBuilder(Comment, ‘comment’) .innerJoin('comment.user’, ‘user’) .addSelect(['user.id’, 'user.firstName’, ‘user.lastName’]) .andWhere('comment.threadId = :threadId’, { threadId, }) .andWhere('comment.appVersionsId = :appVersionsId’, { appVersionsId, }, order: { createdAt: 'ASC’, }, }); }) .orderBy('comment.createdAt’, ‘ASC’) .getMany(); }
public async getOrganizationComments(organizationId: string, appVersionsId: string): Promise<Comment[]> { @@ -93,16 +95,22 @@ export class CommentService { isResolved = false, appVersionsId: string ): Promise<Comment[]> { const comments = await this.commentRepository.find({ where: { thread: { appId, isResolved }, const comments = await createQueryBuilder(Comment, ‘comment’) .innerJoin('comment.user’, ‘user’) .addSelect(['user.id’, 'user.firstName’, ‘user.lastName’]) .innerJoin('comment.thread’, ‘thread’) .addSelect([‘thread.id’]) .andWhere('thread.appId = :appId’, { appId, }) .andWhere('thread.isResolved = :isResolved’, { isResolved, }) .andWhere('comment.appVersionsId = :appVersionsId’, { appVersionsId, }, order: { createdAt: 'DESC’, }, relations: [‘thread’], }); }) .orderBy('comment.createdAt’, ‘DESC’) .getMany();
const groupedComments = groupBy(comments, ‘threadId’);
Related news
Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.