Bug: Missing authorization check in toggle_vote allows players to vote on cards from any game #2520
Description
Describe the bug
In player_live/show.ex, the toggle_vote event handler fetches a dealt card using only the dealt_card_id from the event payload without verifying that the card belongs to the current game. This means a player can cast votes on cards from any game by forging the dealt_card_id value in browser devtools.
To Reproduce
Steps to reproduce the behavior:
- Create two separate games and join both as a player
- Note the dealt_card_id values from game 2
- In game 1, open browser devtools console
- Trigger a toggle_vote event with a dealt_card_id from game 2
- The vote is successfully cast on a card from a completely different game
Expected behavior
The toggle_vote handler should verify that the dealt_card_id belongs to a player in the current game before allowing the vote. If it doesn't match, the vote should be rejected.
Desktop (please complete the following information):
- OS: Windows 11
- Browser: all
- Version N/A
Additional context
The vulnerable code in lib/copi_web/live/player_live/show.ex:
def handle_event("toggle_vote", %{"dealt_card_id" => dealt_card_id}, socket) do
{:ok, dealt_card} = DealtCard.find(dealt_card_id)
# No check that dealt_card belongs to current game!
The fix should verify:
game_card_ids = game.players |> Enum.flat_map(fn p -> p.dealt_cards end) |> Enum.map(fn dc -> dc.id end) if dealt_card.id in game_card_ids do
Are you going to work on fixing this?
- Yes
- No