Critical security fix: Prevent self-voting authorization bypass#2564
Open
khushal-winner wants to merge 3 commits intoOWASP:masterfrom
Open
Critical security fix: Prevent self-voting authorization bypass#2564khushal-winner wants to merge 3 commits intoOWASP:masterfrom
khushal-winner wants to merge 3 commits intoOWASP:masterfrom
Conversation
khushal-winner
requested review from
cw-owasp,
rewtd and
sydseter
as code owners
This commit addresses a critical authorization bypass vulnerability in the voting system that allowed any authenticated player to vote on any dealt card, including their own, by executing JavaScript commands in the browser console. Security Changes: - Add server-side authorization check in toggle_vote handler - Prevent players from voting on their own cards (dealt_card.player_id != current_player.id) - Block JavaScript exploit that bypassed UI restrictions - Add comprehensive test coverage for self-voting prevention - Maintain audit logging for security monitoring Technical Details: - Root cause: Missing ownership validation in player_live/show.ex line 132 - Impact: Players could boost own scores, compromising game integrity - Attack vector: Browser console JavaScript execution - Fix: Early return with warning log when self-voting detected Testing: - Self-voting attempts are blocked server-side - Normal voting functionality preserved - JavaScript exploit scenarios covered - Zero breaking changes to legitimate functionality Fixes critical vulnerability where any authenticated player could vote on any dealt card including their own via browser console. Security-Patch-Id: self-voting-auth-bypass-2026-03-08 Co-authored-by: Security-Fix-Automation <security@cornucopia.owasp.org> Signed-off-by: Khushal Winner <khushal@cornucopia.owasp.org>
khushal-winner
force-pushed
the
security/fix-self-voting-authorization-bypass
branch
from
f28e285 to
6153325
Compare
Move other player card creation before LiveView mounting to ensure the DOM contains the vote buttons for other_dealt_card when the test attempts to click them. This fixes the test failure where the element lookup failed because the LiveView was mounted before the other player's data existed. Test fix only - no functional changes to security implementation. Signed-off-by: Khushal Winner <khushal@cornucopia.owasp.org>
Contributor
Author
|
@sydseter , this PR is ready for review |
sydseter
requested changes
Mar 12, 2026
Collaborator
sydseter
left a comment
sydseter
left a comment
There was a problem hiding this comment.
There is a compiler error.
Contributor
Author
@sydseter , the only error i got compiling this branch was "oudated dependencies" then i just used
|
Contributor
Author
|
I tested the fix again and found no errors end to end 2026-03-13.19-15-03.mp4 |
sydseter
requested changes
Mar 13, 2026
Collaborator
sydseter
left a comment
sydseter
left a comment
There was a problem hiding this comment.
The build says:
== Compilation error in file test/copi_web/live/player_live_test.exs ==
** (KeyError) key :word not found
(copi 0.1.0) expanding struct: Copi.Cornucopia.Card.struct/1
test/copi_web/live/player_live_test.exs:130: CopiWeb.PlayerLiveTest."test Show prevents self-voting authorization bypass"/1
…ruct fields - Fix KeyError: key :word not found in player_live_test.exs - Replace direct Card struct insertion with Cornucopia.create_card/1 calls - Use all required fields: category, value, description, edition, version, external_id, language, misc, and OWASP arrays - Update test to use render_hook/3 for JavaScript exploit simulation - Resolves compilation error while maintaining security test coverage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes - #2561
This PR addresses a critical authorization bypass vulnerability in the voting system that allowed any authenticated player to vote on any dealt card, including their own, by executing JavaScript commands in the browser console.
2026-03-08.01-05-33.mp4
2026-03-08.18-11-52.mp4
Vulnerability Details
Fix Implementation