feat(excessive data exposure): add user phone number on `/api/users/o…

…ne/:email` (#295)
NeuraLegion · Dec 23, 2023 · cae06a0 · cae06a0
1 parent 037383e
commit cae06a0
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -135,4 +135,6 @@ Additionally, the endpoint PUT /api/users/one/{email}/photo accepts SVG images,
 
 * **Broken Function Level Authorization** - The endpoint DELETE `/users/one/:id/photo?isAdmin=` can be used to delete any user's profile photo by enumerating the user IDs and setting the `isAdmin` query parameter to true, as there is no validation of it's value on the server side.
 
-* **IFrame Injection** - The `/testimonials` page a URL parameter `videosrc` which directly controls the src attribute of the IFrame at the bottom of this page. Similarly, the home page takes a URL param `maptitle` which directly controls the `title` attribute of the IFrame at the CONTACT section of this page.
+* **IFrame Injection** - The `/testimonials` page a URL parameter `videosrc` which directly controls the src attribute of the IFrame at the bottom of this page. Similarly, the home page takes a URL param `maptitle` which directly controls the `title` attribute of the IFrame at the CONTACT section of this page.
+
+* **Excessive Data Exposure** - The `/api/users/one/:email` is supposed to expose only basic user information required to be displayed on the UI, but it also returns the user's phone number which is unnecessary information.
diff --git a/src/users/api/UserDto.ts b/src/users/api/UserDto.ts
@@ -29,7 +29,7 @@ export class UserDto {
   @ApiProperty({ example: '4263982640269299' })
   cardNumber: string;
 
-  @Expose({ groups: [FULL_USER_INFO] })
+  @Expose({ groups: [BASIC_USER_INFO, FULL_USER_INFO] })
   @ApiProperty({ example: '12065550100' })
   phoneNumber: string;