Security-Hardening Runde 10: Pentest Runde 6 (8 Findings + struktureller Audit-Sweep)
KRITISCH: - emails/:id/thread bekommt canAccessCachedEmail - customers/:customerId/representatives/search bekommt canAccessCustomer (Buchstaben-Brute-Force konnte sonst die Kunden-DB enumerieren) HOCH: - birthdays/upcoming: Portal-User → 403 (Name/E-Mail/Telefon/Geb-Datum aller Kunden leakte) - contracts/:id/history (GET/POST/PUT/DELETE) bekommt canAccessContract - mailbox-accounts / unread-count / contracts/:id/emails/folder-counts bekommen canAccessCustomer bzw. canAccessContract - Vertreter-Vollmacht-Check ist jetzt live: neuer Helper getPortalAllowedCustomerIds() in accessControl.ts ruft hasAuthorization() für jedes vertretene Customer ab. Eingesetzt in getTasks/createSupportTicket/createCustomerReply/getAllTasks/ getTaskStats und updateCustomerConsent. Widerrufene Vollmachten haben jetzt SOFORT keinen Zugriff mehr (vorher: bis JWT abläuft). MITTEL: - confirmPasswordReset speichert portalPasswordEncrypted nicht mehr beim Self-Service-Reset (war nur für Admin-OTPs gedacht); + portalPasswordMustChange=false explizit - getCustomers pagination total reflektiert jetzt nur erlaubte IDs (über DB-Filter in customerService.getAllCustomers) Audit-Sweep (defense in depth, falls Rolle versehentlich Update- Permissions bekommt): - 16 cachedEmail-Operationen (markAsRead, toggleStar, assign/unassign, save-as-pdf/invoice/contract-document, save-to, attachment-targets, trash-ops) - 4 contract-Operationen (createFollowUp, createRenewal, snoozeContract, removeContractMeter) - 12 sub-CRUD-Operationen (address/bankcard/document/meter update+delete, meter-reading add/update/delete/transfer) - 2 representative-Operationen (add/remove) Live-verifiziert: Portal-Customer-3 auf alle fremden IDs → 403, Admin sieht alles, eigene Ressourcen weiterhin 200, Customer 1 mit widerrufener Vollmacht für Customer 3 → 0 fremde Verträge in der Response. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -18,30 +18,28 @@ import {
|
||||
canAccessBankCard,
|
||||
canAccessIdentityDocument,
|
||||
canAccessCustomer,
|
||||
getPortalAllowedCustomerIds,
|
||||
} from '../utils/accessControl.js';
|
||||
|
||||
// Customer CRUD
|
||||
export async function getCustomers(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const { search, type, page, limit } = req.query;
|
||||
|
||||
// Portal-User dürfen nur ihre eigenen + vertretene Kunden (mit aktiver
|
||||
// Vollmacht) sehen. Wir geben die Liste direkt als DB-Filter mit, damit
|
||||
// auch `pagination.total` nur über diese IDs zählt (Pentest Runde 6
|
||||
// MITTEL-02: `total: 4271` leakte vorher die globale Kunden-Zahl).
|
||||
const allowedIds = await getPortalAllowedCustomerIds(req);
|
||||
|
||||
const result = await customerService.getAllCustomers({
|
||||
search: search as string,
|
||||
type: type as 'PRIVATE' | 'BUSINESS',
|
||||
page: page ? parseInt(page as string) : undefined,
|
||||
limit: limit ? parseInt(limit as string) : undefined,
|
||||
allowedIds: allowedIds ?? undefined,
|
||||
});
|
||||
let customers = result.customers as any[];
|
||||
|
||||
// Portal-Kunden: Liste auf eigenen + vertretene Kunden einschränken.
|
||||
// Ohne diesen Filter würde der List-Endpoint die komplette Kundendatenbank
|
||||
// an einen einzelnen Portal-Account preisgeben.
|
||||
if (req.user?.isCustomerPortal) {
|
||||
const allowedIds = new Set<number>();
|
||||
if (req.user.customerId) allowedIds.add(req.user.customerId);
|
||||
const represented = (req.user as any).representedCustomerIds || [];
|
||||
for (const id of represented) allowedIds.add(id);
|
||||
customers = customers.filter((c) => allowedIds.has(c.id));
|
||||
}
|
||||
const customers = result.customers as any[];
|
||||
|
||||
// Portal-Kunden oder andere Rollen sehen kein portalPasswordEncrypted
|
||||
const canSeePasswords = req.user?.permissions?.includes('customers:update') ?? false;
|
||||
@@ -233,9 +231,10 @@ export async function createAddress(req: AuthRequest, res: Response): Promise<vo
|
||||
}
|
||||
}
|
||||
|
||||
export async function updateAddress(req: Request, res: Response): Promise<void> {
|
||||
export async function updateAddress(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const addressId = parseInt(req.params.id);
|
||||
if (!(await canAccessAddress(req, res, addressId))) return;
|
||||
const data = req.body;
|
||||
|
||||
// Vorherigen Stand laden für Audit
|
||||
@@ -296,9 +295,10 @@ export async function updateAddress(req: Request, res: Response): Promise<void>
|
||||
}
|
||||
}
|
||||
|
||||
export async function deleteAddress(req: Request, res: Response): Promise<void> {
|
||||
export async function deleteAddress(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const addressId = parseInt(req.params.id);
|
||||
if (!(await canAccessAddress(req, res, addressId))) return;
|
||||
const addr = await prisma.address.findUnique({ where: { id: addressId }, select: { customerId: true } });
|
||||
const customerId = addr?.customerId;
|
||||
await customerService.deleteAddress(addressId);
|
||||
@@ -350,9 +350,10 @@ export async function createBankCard(req: AuthRequest, res: Response): Promise<v
|
||||
}
|
||||
}
|
||||
|
||||
export async function updateBankCard(req: Request, res: Response): Promise<void> {
|
||||
export async function updateBankCard(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const cardId = parseInt(req.params.id);
|
||||
if (!(await canAccessBankCard(req, res, cardId))) return;
|
||||
const data = req.body;
|
||||
|
||||
// Vorherigen Stand laden für Audit
|
||||
@@ -408,9 +409,10 @@ export async function updateBankCard(req: Request, res: Response): Promise<void>
|
||||
}
|
||||
}
|
||||
|
||||
export async function deleteBankCard(req: Request, res: Response): Promise<void> {
|
||||
export async function deleteBankCard(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const cardId = parseInt(req.params.id);
|
||||
if (!(await canAccessBankCard(req, res, cardId))) return;
|
||||
const card = await prisma.bankCard.findUnique({ where: { id: cardId }, select: { customerId: true } });
|
||||
const customerId = card?.customerId;
|
||||
await customerService.deleteBankCard(cardId);
|
||||
@@ -462,9 +464,10 @@ export async function createDocument(req: AuthRequest, res: Response): Promise<v
|
||||
}
|
||||
}
|
||||
|
||||
export async function updateDocument(req: Request, res: Response): Promise<void> {
|
||||
export async function updateDocument(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const docId = parseInt(req.params.id);
|
||||
if (!(await canAccessIdentityDocument(req, res, docId))) return;
|
||||
const data = req.body;
|
||||
|
||||
// Vorherigen Stand laden für Audit
|
||||
@@ -526,9 +529,10 @@ export async function updateDocument(req: Request, res: Response): Promise<void>
|
||||
}
|
||||
}
|
||||
|
||||
export async function deleteDocument(req: Request, res: Response): Promise<void> {
|
||||
export async function deleteDocument(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const docId = parseInt(req.params.id);
|
||||
if (!(await canAccessIdentityDocument(req, res, docId))) return;
|
||||
const doc = await prisma.identityDocument.findUnique({ where: { id: docId }, select: { customerId: true } });
|
||||
const customerId = doc?.customerId;
|
||||
await customerService.deleteDocument(docId);
|
||||
@@ -580,9 +584,10 @@ export async function createMeter(req: AuthRequest, res: Response): Promise<void
|
||||
}
|
||||
}
|
||||
|
||||
export async function updateMeter(req: Request, res: Response): Promise<void> {
|
||||
export async function updateMeter(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const meterId = parseInt(req.params.id);
|
||||
if (!(await canAccessMeter(req, res, meterId))) return;
|
||||
const data = req.body;
|
||||
|
||||
// Vorherigen Stand laden für Audit
|
||||
@@ -637,9 +642,10 @@ export async function updateMeter(req: Request, res: Response): Promise<void> {
|
||||
}
|
||||
}
|
||||
|
||||
export async function deleteMeter(req: Request, res: Response): Promise<void> {
|
||||
export async function deleteMeter(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const meterId = parseInt(req.params.id);
|
||||
if (!(await canAccessMeter(req, res, meterId))) return;
|
||||
await customerService.deleteMeter(meterId);
|
||||
await logChange({
|
||||
req, action: 'DELETE', resourceType: 'Meter',
|
||||
@@ -667,10 +673,11 @@ export async function getMeterReadings(req: AuthRequest, res: Response): Promise
|
||||
}
|
||||
}
|
||||
|
||||
export async function addMeterReading(req: Request, res: Response): Promise<void> {
|
||||
export async function addMeterReading(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const { readingDate, value, valueNt, unit, notes } = req.body;
|
||||
const meterId = parseInt(req.params.meterId);
|
||||
if (!(await canAccessMeter(req, res, meterId))) return;
|
||||
const reading = await customerService.addMeterReading(meterId, {
|
||||
readingDate: new Date(readingDate),
|
||||
value: parseFloat(value),
|
||||
@@ -703,8 +710,10 @@ export async function addMeterReading(req: Request, res: Response): Promise<void
|
||||
}
|
||||
}
|
||||
|
||||
export async function updateMeterReading(req: Request, res: Response): Promise<void> {
|
||||
export async function updateMeterReading(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const meterId = parseInt(req.params.meterId);
|
||||
if (!(await canAccessMeter(req, res, meterId))) return;
|
||||
const { readingDate, value, valueNt, unit, notes } = req.body;
|
||||
const updateData: Record<string, unknown> = {};
|
||||
if (readingDate !== undefined) updateData.readingDate = new Date(readingDate);
|
||||
@@ -714,7 +723,7 @@ export async function updateMeterReading(req: Request, res: Response): Promise<v
|
||||
if (notes !== undefined) updateData.notes = notes;
|
||||
|
||||
const reading = await customerService.updateMeterReading(
|
||||
parseInt(req.params.meterId),
|
||||
meterId,
|
||||
parseInt(req.params.readingId),
|
||||
updateData as any
|
||||
);
|
||||
@@ -732,13 +741,12 @@ export async function updateMeterReading(req: Request, res: Response): Promise<v
|
||||
}
|
||||
}
|
||||
|
||||
export async function deleteMeterReading(req: Request, res: Response): Promise<void> {
|
||||
export async function deleteMeterReading(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const meterId = parseInt(req.params.meterId);
|
||||
if (!(await canAccessMeter(req, res, meterId))) return;
|
||||
const readingId = parseInt(req.params.readingId);
|
||||
await customerService.deleteMeterReading(
|
||||
parseInt(req.params.meterId),
|
||||
readingId
|
||||
);
|
||||
await customerService.deleteMeterReading(meterId, readingId);
|
||||
await logChange({
|
||||
req, action: 'DELETE', resourceType: 'MeterReading',
|
||||
resourceId: readingId.toString(),
|
||||
@@ -839,6 +847,7 @@ export async function getMyMeters(req: AuthRequest, res: Response): Promise<void
|
||||
export async function markReadingTransferred(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const meterId = parseInt(req.params.meterId);
|
||||
if (!(await canAccessMeter(req, res, meterId))) return;
|
||||
const readingId = parseInt(req.params.readingId);
|
||||
|
||||
const reading = await prisma.meterReading.update({
|
||||
@@ -1128,9 +1137,10 @@ export async function getRepresentatives(req: AuthRequest, res: Response): Promi
|
||||
}
|
||||
}
|
||||
|
||||
export async function addRepresentative(req: Request, res: Response): Promise<void> {
|
||||
export async function addRepresentative(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const customerId = parseInt(req.params.customerId);
|
||||
if (!(await canAccessCustomer(req, res, customerId))) return;
|
||||
const { representativeId, notes } = req.body;
|
||||
const representative = await customerService.addRepresentative(
|
||||
customerId,
|
||||
@@ -1152,9 +1162,10 @@ export async function addRepresentative(req: Request, res: Response): Promise<vo
|
||||
}
|
||||
}
|
||||
|
||||
export async function removeRepresentative(req: Request, res: Response): Promise<void> {
|
||||
export async function removeRepresentative(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
const customerId = parseInt(req.params.customerId);
|
||||
if (!(await canAccessCustomer(req, res, customerId))) return;
|
||||
await customerService.removeRepresentative(
|
||||
customerId,
|
||||
parseInt(req.params.representativeId)
|
||||
@@ -1173,8 +1184,13 @@ export async function removeRepresentative(req: Request, res: Response): Promise
|
||||
}
|
||||
}
|
||||
|
||||
export async function searchForRepresentative(req: Request, res: Response): Promise<void> {
|
||||
export async function searchForRepresentative(req: AuthRequest, res: Response): Promise<void> {
|
||||
try {
|
||||
// KRITISCH (Pentest Runde 6): ohne canAccessCustomer kann ein Portal-User
|
||||
// mit beliebigem :customerId-Pfad alle Kunden durchsuchen → komplette
|
||||
// Kunden-DB-Enumeration via Buchstaben-Brute-Force.
|
||||
const customerId = parseInt(req.params.customerId);
|
||||
if (!(await canAccessCustomer(req, res, customerId))) return;
|
||||
const { search } = req.query;
|
||||
if (!search || typeof search !== 'string' || search.length < 2) {
|
||||
res.json({ success: true, data: [] } as ApiResponse);
|
||||
@@ -1182,7 +1198,7 @@ export async function searchForRepresentative(req: Request, res: Response): Prom
|
||||
}
|
||||
const customers = await customerService.searchCustomersForRepresentative(
|
||||
search,
|
||||
parseInt(req.params.customerId)
|
||||
customerId,
|
||||
);
|
||||
res.json({ success: true, data: customers } as ApiResponse);
|
||||
} catch (error) {
|
||||
|
||||
Reference in New Issue
Block a user