Skip to content

Fix Mass Assignments in Leads Endpoint #5668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
christopherholland-workday merged 2 commits into from
Jan 29, 2026
Merged

Fix Mass Assignments in Leads Endpoint #5668

christopherholland-workday merged 2 commits into from
Jan 29, 2026

Conversation

@christopherholland-workday
Copy link
Contributor

@christopherholland-workday christopherholland-workday commented Jan 23, 2026

Overview

The endpoint uses Object.assign() to copy all properties from the request body to the Lead entity without any input validation or field filtering. This allows attackers to bypass auto-generated fields and inject arbitrary values.

This PR allows only the fields that are user controlled to be user controlled ('chatflowid', 'name', 'email', 'phone').

Testing

Ran the same curl requests that exposed the issue and ensured that the fields like id and createdDate were generated by the code and not overridden by the request.

Example 1: id

Request:

curl -X POST http://localhost:3000/api/v1/leads \
-H "Content-Type: application/json" \
-d '{ "chatflowid": "attacker-chatflow-456", "name": "Attacker", "email": "[email protected]", "phone": "555-EVIL", "id": "nah-nah-nah" }'

Result (id was not taken from request):                         
{"name":"Attacker","email":"[email protected]","phone":"555-EVIL","chatflowid":"attacker-chatflow-456","chatId":"865b3723-3486-4605-9c76-ebd6b16a96d8","id":"bb39625f-d9a6-49de-888c-c0f2f0ded6db","createdDate":"2026-01-22T23:32:03.000Z"}%

Example 2: createdDate

Request:

curl -X POST http://localhost:3000/api/v1/leads \
-H "Content-Type: application/json" \
-d '{ "chatflowid": "timestamp-test-789", "name": "Time Traveler", "email": "[email protected]", "createdDate": "1970-01-01T00:00:00.000Z" }'

Result (createdDate was not taken from request)
{"name":"Time Traveler","email":"[email protected]","chatflowid":"timestamp-test-789","chatId":"5c9a31e1-19e4-4887-b122-2f3bc6b01d26","id":"c0c97fd6-0eea-4f9d-b387-ff9b9cbc0df9","createdDate":"2026-01-22T23:38:02.000Z"}

Previously, the id and createdDate value would've been taken from the requests

gemini-code-assist[bot]

This comment was marked as duplicate.

Sign in to view

@FlowiseAI FlowiseAI deleted a comment from gemini-code-assist bot Jan 29, 2026
@yau-wd yau-wd requested a review from igor-magun-wd January 29, 2026 08:46
@christopherholland-workday christopherholland-workday merged commit 1738fa9 into main Jan 29, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yau-wd yau-wd yau-wd approved these changes

@igor-magun-wd igor-magun-wd igor-magun-wd approved these changes

@0xi4o 0xi4o Awaiting requested review from 0xi4o

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@christopherholland-workday @yau-wd @igor-magun-wd