Merge pull request #2742 from overleaf/jpa-hotfix-user-lookup

[UserPagesController] block arbitrary user lookups

GitOrigin-RevId: 4d88abbd0ad14289a73e7f502c0686f206617459

services/web/app/src/Features/User/UserPagesController.js

@@ -34,6 +34,10 @@ const UserPagesController = {
       return ErrorController.notFound(req, res)
     }
 
+    if (typeof req.query.user_id !== 'string') {
+      return ErrorController.forbidden(req, res)
+    }
+
     UserGetter.getUser(
       req.query.user_id,
       { email: 1, loginCount: 1 },

services/web/test/unit/src/User/UserPagesControllerTests.js

@@ -318,6 +318,12 @@ describe('UserPagesController', function() {
       return this.UserPagesController.activateAccountPage(this.req, this.res)
     })
 
+    it('should 403 for complex user_id', function(done) {
+      this.ErrorController.forbidden = () => done()
+      this.req.query.user_id = { first_name: 'X' }
+      return this.UserPagesController.activateAccountPage(this.req, this.res)
+    })
+
     it('should redirect activated users to login', function(done) {
       this.user.loginCount = 1
       this.res.redirect = url => {