Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: user sanitization should clean up email change info too #1759

Merged
merged 1 commit into from
Sep 3, 2024
Merged

fix: user sanitization should clean up email change info too #1759

merged 1 commit into from
Sep 3, 2024

Conversation

staaldraad
Copy link
Contributor

@staaldraad staaldraad commented Sep 3, 2024
edited by hf
Loading

The sanitizeUser function did not cleanup the EmailChange and EmailChangeSentAt properties on a User. If a User had a pending email address change, the new address could be leaked via a crafted signUp request.

@staaldraad
fix: sanitizeUser function should clean EmailChange
7f084b2 
The sanitizeUser function did not cleanup the EmailChange and
EmailChangeSentAt properties on a User. If a User had a pending
email address change, the new address could be leaked via a crafted
signUp request.
@staaldraad staaldraad requested a review from a team as a code owner September 3, 2024 13:50
@coveralls
Copy link

Pull Request Test Coverage Report for Build 10684300632

Details

  • 2 of 2 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 57.92%
Totals Coverage Status
Change from base Build 10667529749: 0.0%
Covered Lines: 9138
Relevant Lines: 15777
💛 - Coveralls

@hf hf changed the title fix: sanitizeUser function should clean EmailChange fix: user sanitization should clean up email change info too Sep 3, 2024
@hf hf merged commit 9d419b4 into master Sep 3, 2024
5 checks passed
@hf hf deleted the fix/update-sanitize-signup branch September 3, 2024 14:03
@github-actions github-actions bot mentioned this pull request Sep 3, 2024
Merged
hf pushed a commit that referenced this pull request Sep 24, 2024
@github-actions
chore(master): release 2.161.0 (#1760)
5b03fda 
🤖 I have created a release *beep* *boop*
---


##
[2.161.0](v2.160.0...v2.161.0)
(2024-09-24)


### Features

* add `x-sb-error-code` header, show error code in logs
([#1765](#1765))
([ed91c59](ed91c59))
* add webauthn configuration variables
([#1773](#1773))
([77d5897](77d5897))
* config reloading
([#1771](#1771))
([6ee0091](6ee0091))


### Bug Fixes

* add additional information around errors for missing content type
header ([#1576](#1576))
([c2b2f96](c2b2f96))
* add token to hook payload for non-secure email change
([#1763](#1763))
([7e472ad](7e472ad))
* update aal requirements to update user
([#1766](#1766))
([25d9874](25d9874))
* update mfa admin methods
([#1774](#1774))
([567ea7e](567ea7e))
* user sanitization should clean up email change info too
([#1759](#1759))
([9d419b4](9d419b4))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hf hf hf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@staaldraad @coveralls @hf