[backend] check multiple keys for meEdit mutation (#9739)

OpenCTI-Platform · Jan 28, 2025 · b89f94c · b89f94c
1 parent 6a2ebc8
commit b89f94c
Show file tree

Hide file tree

Showing 2 changed files with 97 additions and 21 deletions.
diff --git a/opencti-platform/opencti-graphql/src/domain/user.js b/opencti-platform/opencti-graphql/src/domain/user.js
@@ -833,28 +833,30 @@ const ME_USER_MODIFIABLE_ATTRIBUTES = [
   'draft_context',
 ];
 export const meEditField = async (context, user, userId, inputs, password = null) => {
-  const input = R.head(inputs);
-  const { key } = input;
-  // Check if field can be updated by the user
-  if (PROTECTED_USER_ATTRIBUTES.includes(key)) {
-    throw ForbiddenAccess();
-  }
-  // If the user is external, some extra attributes must be protected
-  if (user.external && PROTECTED_EXTERNAL_ATTRIBUTES.includes(key)) {
-    throw ForbiddenAccess();
-  }
-  // On MeUser only some fields are updatable
-  if (!ME_USER_MODIFIABLE_ATTRIBUTES.includes(key)) {
-    throw ForbiddenAccess();
-  }
-  // Check password confirmation in case of password change
-  if (key === 'password') {
-    const dbPassword = user.session_password;
-    const match = bcrypt.compareSync(password, dbPassword);
-    if (!match) {
-      throw FunctionalError('The current password you have provided is not valid');
+  inputs.forEach((input) => {
+    const { key } = input;
+    // Check if field can be updated by the user
+    if (PROTECTED_USER_ATTRIBUTES.includes(key)) {
+      throw ForbiddenAccess();
     }
-  }
+    // If the user is external, some extra attributes must be protected
+    if (user.external && PROTECTED_EXTERNAL_ATTRIBUTES.includes(key)) {
+      throw ForbiddenAccess();
+    }
+    // On MeUser only some fields are updatable
+    if (!ME_USER_MODIFIABLE_ATTRIBUTES.includes(key)) {
+      throw ForbiddenAccess();
+    }
+    // Check password confirmation in case of password change
+    if (key === 'password') {
+      const dbPassword = user.session_password;
+      const match = bcrypt.compareSync(password, dbPassword);
+      if (!match) {
+        throw FunctionalError('The current password you have provided is not valid');
+      }
+    }
+  });
+
   return userEditField(context, user, userId, inputs);
 };
 

diff --git a/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.ts b/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.ts
@@ -1011,3 +1011,77 @@ describe('User has no settings capability and is organization admin query behavi
     expect(queryResult.data.user).toBeNull();
   });
 });
+
+describe('meUser specific resolvers', async () => {
+  const ME_EDIT = gql`
+    mutation meEdit($input: [EditInput]!, $password: String) {
+      meEdit(input: $input, password: $password) {
+        id
+        name
+        user_email
+        external
+        firstname
+        lastname
+        language
+        theme
+        api_token
+        otp_activated
+        otp_qr
+        description
+      }
+    }
+  `;
+
+  it('User should update authorized attribute', async () => {
+    const variables = {
+      password: USER_EDITOR.password,
+      input: [
+        { key: 'language', value: 'fr-fr' },
+      ]
+    };
+    const queryResult = await queryAsUserWithSuccess(USER_EDITOR.client, {
+      query: ME_EDIT,
+      variables,
+    });
+    expect(queryResult.data.meEdit.language).toEqual('fr-fr');
+  });
+  it('User should NOT update unauthorized attribute', async () => {
+    const variables = {
+      password: USER_EDITOR.password,
+      input: [
+        { key: 'api_token', value: 'd434ce02-e58e-4cac-8b4c-42bf16748e84' },
+      ]
+    };
+    await queryAsUserIsExpectedForbidden(USER_EDITOR.client, {
+      query: ME_EDIT,
+      variables,
+    });
+  });
+  it('User should update multiple authorized attributes', async () => {
+    const variables = {
+      password: USER_EDITOR.password,
+      input: [
+        { key: 'language', value: 'en-us' },
+        { key: 'theme', value: 'dark' },
+      ]
+    };
+    const queryResult = await queryAsUserWithSuccess(USER_EDITOR.client, {
+      query: ME_EDIT,
+      variables,
+    });
+    expect(queryResult.data.meEdit.language).toEqual('en-us');
+  });
+  it('User should NOT update multiple attribute when unauthorized keys in input', async () => {
+    const variables = {
+      password: USER_EDITOR.password,
+      input: [
+        { key: 'language', value: 'fr-fr' },
+        { key: 'api_token', value: 'd434ce02-e58e-4cac-8b4c-42bf16748e84' },
+      ]
+    };
+    await queryAsUserIsExpectedForbidden(USER_EDITOR.client, {
+      query: ME_EDIT,
+      variables,
+    });
+  });
+});