olemd/vinterliste
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
vinterliste/tests
History
Ole-Morten Duesund 0e5bf0a035 fix(activities): close existence oracle on PATCH /:id/sort 
The sort endpoint validated existence with a bare
`SELECT 1 FROM activities WHERE id = ?`, ignoring visibility. A
logged-in attacker could PATCH /sort with any UUID and distinguish
"private id exists, owned by someone else" (200) from "id doesn't
exist" (404), letting them enumerate private activity ids.

Apply the same visibility filter as GET /:id, toggleDone, and
toggleFiling: private requires owner; friends requires mutual-friend
+ no block in either direction; hidden rows return 404, not 403.

Regression test added in tests/activities.test.ts.

Surfaced by /audit security (HIGH severity).
2026-05-25 20:34:50 +02:00
..
activities.test.ts fix(activities): close existence oracle on PATCH /:id/sort 2026-05-25 20:34:50 +02:00
admin.test.ts feat(tags): moderators and admins can delete public tags 2026-05-25 17:57:33 +02:00
auth.test.ts Close the recovery lockout-DoS hole on /auth/recovery-complete 2026-05-25 12:28:26 +02:00
crypto.test.ts Scaffold Vinterliste — end-to-end encrypted winter activity list 2026-05-25 12:27:14 +02:00
engagement.test.ts feat(activity): per-viewer archive and hide 2026-05-25 20:19:44 +02:00
friends.test.ts test(friends): lock in directional visibility semantics 2026-05-25 15:02:57 +02:00
helpers.ts test: coverage for all major server features 2026-05-25 15:37:53 +02:00
profile.test.ts test: coverage for all major server features 2026-05-25 15:37:53 +02:00
social.test.ts fix(invites): build share URL on the client, not the server 2026-05-25 16:25:55 +02:00