Fix: authorization check in toggle_vote to prevent cross-game voting#2625
Open
xovishnukosuri wants to merge 1 commit intoOWASP:masterfrom
Open
Fix: authorization check in toggle_vote to prevent cross-game voting#2625xovishnukosuri wants to merge 1 commit intoOWASP:masterfrom
xovishnukosuri wants to merge 1 commit intoOWASP:masterfrom
Conversation
The toggle_vote event handler previously accepted any dealt_card_id without verifying it belonged to the current game. A player could forge the dealt_card_id in browser devtools to vote on cards from other games. This adds a check that collects all dealt card IDs from the current game's players and rejects the vote with a warning log if the dealt_card_id does not belong to the game. Fixes OWASP#2520 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
xovishnukosuri
requested review from
cw-owasp,
rewtd and
sydseter
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
toggle_voteevent handler inplayer_live/show.exto verify that thedealt_card_idbelongs to a player in the current game before allowing the voteDetails
The
toggle_votehandler previously fetched a dealt card using only thedealt_card_idfrom the event payload without any authorization check. A player could forge thedealt_card_idin browser devtools to cast votes on cards from any game.The fix collects all dealt card IDs from the current game's players (already preloaded on the socket) and checks membership before proceeding with the vote logic. This follows the same pattern as the approach suggested in the issue.
Fixes #2520
Test plan
toggle_votetest (add/remove vote on own game's card) still passestoggle_vote rejects vote on a dealt card from another game— creates a second game with a dealt card and confirms that voting on it from game 1 results in zero votes on that card🤖 Generated with Claude Code