OpenLearn Forum Post Bypasses Moderation via Direct ID Access (CWE-284)

# Vulnerability Summary: OpenLearn Forum Post Bypass of Moderation Mechanism ## Vulnerability Overview When `safeMode` (moderation mode) is enabled, unmoderated forum posts are not visible in public listings. However, the read interface accessed via direct ID still returns the full content. Attackers can directly retrieve unmoderated post data using known UUIDs, thereby bypassing moderation controls. ## Impact Scope - **Affected Versions**: [0]; let appRouter: AppRouter; const TEST_AUTH_SECRET = "12345678901234567890123456789012_test_secret_value"; const createdUserIds = new Set(); const createdPostIds = new Set(); beforeAll(async () => { if (!process.env.AUTH_SECRET) { process.env.AUTH_SECRET = TEST_AUTH_SECRET; } appRouter = await import("~/server/main"); }); beforeEach(async () => { await cleanupArtifacts(); process.env.AUTH_SECRET = TEST_AUTH_SECRET; await prisma.config.upsert({ where: { key: "safeMode" }, update: { value: true }, create: { key: "safeMode", value: true }, }); }); afterEach(async () => { await cleanupArtifacts(); }); afterAll(async () => { await cleanupArtifacts(); await prisma.$disconnect(); }); function makeCaller(user?: { id: string; email: string; name?: string }) { const ctx = { prisma, user } as unknown as CallerContext; return appRouter.createCaller(ctx); } async function createTestUser() { const userId = crypto.randomUUID(); const unique = `${Date.now()}-${Math.random().toString(36).slice(2)}`; const user = await prisma.user.create({ data: { id: userId, name: `Test User ${unique}`, email: `test-${unique}@example.com`, emailVerified: true, role: "user", }, }); createdUserIds.add(user.id); return user; } async function cleanupArtifacts() { const postIds = [...createdPostIds]; const userIds = [...createdUserIds]; await prisma.config.deleteMany({ where: { key: "safeMode", }, }); if (postIds.length > 0) { await prisma.forumPost.deleteMany({ where: { postId: { in: postIds } } }); await prisma.forumPostReply.deleteMany({ where: { postId: { in: postIds } } }); await prisma.forumPost.deleteMany({ where: { id: { in: postIds } } }); } if (userIds.length > 0) { await prisma.forumPost.deleteMany({ where: { userId: { in: userIds } } }); await prisma.forumPostReply.deleteMany({ where: { authorId: { in: userIds } } }); await prisma.forumPost.deleteMany({ where: { authorId: { in: userIds } } }); await prisma.user.deleteMany({ where: { id: { in: userIds } } }); } createdPostIds.clear(); createdUserIds.clear(); } describe("Forum moderation bypass", () => { it("exposes an unapproved post through getSpecificPost when safeMode is enabled", async () => { const author = await createTestUser(); const authorCaller = makeCaller({ id: author.id, email: author.email, name: author.name }); const post = await authorCaller.forum.makePost({ title: `Pending ${Date.now()}`, content: "This post should stay hidden until an admin approves it.", subject: "nt", }); createdPostIds.add(post.id); const listedPosts = await makeCaller().forum.getPost({}); expect(listedPosts.some((candidate) => candidate.id === post.id)).toBe(false); const leakedPost = await makeCaller().forum.getSpecificPost({ postId: post.id }); expect(leakedPost.id).toBe(post.id); expect(leakedPost.content).toBe("This post should stay hidden until an admin approves it."); expect(leakedPost.hasBeenAdminChecked).toBe(false); }); }); ``` ## Minimal Reproduction Steps 1. Enable `safeMode` 2. Create a new forum post as a regular user 3. Confirm that the post does not appear in the `forum.getPosts` list 4. Call `forum.getSpecificPost` as an unauthenticated caller and pass the post UUID 5. The unmoderated post is returned in full

Goal Reached Thanks to every supporter — we hit 100%!

OpenLearn Forum Post Bypasses Moderation via Direct ID Access (CWE-284)

More from this source