Merge pull request from GHSA-f69g-q6v2-rhjp

* fix(api-server): only allow specified profile keys * simplify and fix validation
2026-05-28 18:26:54 +00:00 · 2023-10-30 17:05:13 +02:00
parent 6a58c8ac8a
commit 5094a82704
1 changed files with 15 additions and 1 deletions
@@ -146,9 +146,23 @@ function updateMyProfileUI(req, res, next) {
    user,
    body: { profileUI }
  } = req;
+
+  const update = {
+    isLocked: !!profileUI.isLocked,
+    showAbout: !!profileUI.showAbout,
+    showCerts: !!profileUI.showCerts,
+    showDonation: !!profileUI.showDonation,
+    showHeatMap: !!profileUI.showHeatMap,
+    showLocation: !!profileUI.showLocation,
+    showName: !!profileUI.showName,
+    showPoints: !!profileUI.showPoints,
+    showPortfolio: !!profileUI.showPortfolio,
+    showTimeLine: !!profileUI.showTimeLine
+  };
+
  user.updateAttribute(
    'profileUI',
-    profileUI,
+    update,
    createStandardHandler(req, res, next, 'flash.privacy-updated')
  );
 }