Skip to content

Security & Quality Bug Fixes #1

Description

@cormacd9974

Security and quality fixes identified via code review. Check off each one as it's applied.

Critical

  • Fix 1 — Privilege escalation: any user can make themselves admin (server/controllers/userController.js lines 289–293)
  • Fix 2 — Broken access control: any user can read/edit/delete any task (server/controllers/taskController.js — 6 functions)
  • Fix 3 — NoSQL injection on login, forgot password and reset password (server/controllers/userController.js)
  • Fix 4 — No server-side password length validation on register, change password and reset password (server/controllers/userController.js)
  • Fix 5 — Remove test email scheduler route exposed to all users (server/routes/taskRoute.js)
  • Fix 6 — XSS via unescaped user data in email HTML (server/utils/emailService.js)

Warnings

  • Fix 7role field uses required: "user" instead of default: "user" (server/models/userModel.js line 10)
  • Fix 8 — Notification flags not reset when due date is edited (server/controllers/taskController.jsupdateTask)
  • Fix 9 — Duplicated tasks copy completed subtask state (server/controllers/taskController.jsduplicateTask)
  • Fix 10 — No rate limiting on login, forgot password and reset password endpoints (server/routes/userRoute.js)

Minor

  • Fix 11 — Tailwind class typos: npy-2, tracking-all, hover:border-blue-[#0068B5] (Tasks.jsx, History.jsx)
  • Fix 12 — History CSV only quotes title column, not all fields (client/src/pages/History.jsx)
  • Fix 13 — Array index used as React key in History table (client/src/pages/History.jsx)
  • Fix 14 — Uploaded files publicly accessible without authentication (server/index.js line 41)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecurity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions