+ "details": "### Description \n The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any `UserWhatsApp` record by ID. Ownership is not validated (unlike the verify endpoint).\n\n### Affected Source \n- Endpoint: [UserWhatsAppAPI.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L129-L153) \n- Service: [UserWhatsAppService.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L129-L153) \n- Verify ownership (present in verify endpoint for comparison): [UserWhatsAppAPI.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L78-L87)\n\n\n### Full Code Lines (UserWhatsAppAPI.ts)\n\nResend path (authorization gap):\n\n```ts\n this.router.post(\n `${new this.entityType()\n .getCrudApiPath()\n ?.toString()}/resend-verification-code`,\n UserMiddleware.getUserMiddleware,\n async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {\n try {\n req = req as OneUptimeRequest;\n\n if (!req.body.itemId) {\n return Response.sendErrorResponse(\n req,\n res,\n new BadDataException(\"Invalid item ID\"),\n );\n }\n\n await this.service.resendVerificationCode(req.body.itemId);\n\n return Response.sendEmptySuccessResponse(req, res);\n } catch (err) {\n return next(err);\n }\n },\n );\n```\n\nVerify path (ownership check present):\n\n```ts\n if (\n item.userId?.toString() !==\n (req as OneUptimeRequest)?.userAuthorization?.userId?.toString()\n ) {\n return Response.sendErrorResponse(\n req,\n res,\n new BadDataException(\"Invalid user ID\"),\n );\n }\n```\n\n## Prerequisites\n- Valid attacker account with access to a project\n- Attacker access token\n- A victim’s `UserWhatsApp` itemId belonging to the same project\n\n## Steps to Reproduce\n1. Set your attacker token:\n\n ```bash\n export ATK=\"Bearer <attacker-access-token>\"\n ```\n\n2. Trigger resend for the victim’s item:\n\n ```bash\n curl -s -X POST \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: $ATK\" \\\n -d '{\"itemId\":\"<victim-userwhatsapp-id>\"}' \\\n http://<host>/api/user-whats-app/resend-verification-code\n ```\n\n## Expected/Observed Behavior\n- HTTP 200 with `{}` body and a new verification code sent to the victim’s phone\n- No checks confirm that `item.userId` equals the authenticated user’s ID for the resend path\n\n## Impact\n- Spam/DoS against victims’ phone numbers, social engineering pressure, and potential lockout flows due to repeated resends\n\n## Recommended Fix\n- Enforce ownership: `item.userId` must match the authenticated user\n- Add per-item and per-user rate limiting for resends",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments