From 825d0701e8093dc57f9d4b063dba7f2b777e635e Mon Sep 17 00:00:00 2001
From: Jakob Ackermann <das7pad@outlook.com>
Date: Mon, 13 Apr 2020 15:18:50 +0200
Subject: [PATCH] Merge pull request #2742 from overleaf/jpa-hotfix-user-lookup

[UserPagesController] block arbitrary user lookups

GitOrigin-RevId: 4d88abbd0ad14289a73e7f502c0686f206617459
---
 services/web/app/src/Features/User/UserPagesController.js   | 4 ++++
 services/web/test/unit/src/User/UserPagesControllerTests.js | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/services/web/app/src/Features/User/UserPagesController.js b/services/web/app/src/Features/User/UserPagesController.js
index 23ef4cec65..5fb2564d56 100644
--- a/services/web/app/src/Features/User/UserPagesController.js
+++ b/services/web/app/src/Features/User/UserPagesController.js
@@ -34,6 +34,10 @@ const UserPagesController = {
       return ErrorController.notFound(req, res)
     }
 
+    if (typeof req.query.user_id !== 'string') {
+      return ErrorController.forbidden(req, res)
+    }
+
     UserGetter.getUser(
       req.query.user_id,
       { email: 1, loginCount: 1 },
diff --git a/services/web/test/unit/src/User/UserPagesControllerTests.js b/services/web/test/unit/src/User/UserPagesControllerTests.js
index e3f0e9043a..d44477584e 100644
--- a/services/web/test/unit/src/User/UserPagesControllerTests.js
+++ b/services/web/test/unit/src/User/UserPagesControllerTests.js
@@ -318,6 +318,12 @@ describe('UserPagesController', function() {
       return this.UserPagesController.activateAccountPage(this.req, this.res)
     })
 
+    it('should 403 for complex user_id', function(done) {
+      this.ErrorController.forbidden = () => done()
+      this.req.query.user_id = { first_name: 'X' }
+      return this.UserPagesController.activateAccountPage(this.req, this.res)
+    })
+
     it('should redirect activated users to login', function(done) {
       this.user.loginCount = 1
       this.res.redirect = url => {