Add validation to prevent privilege escalation via is_superuser field and enhance related tests

- Added explicit Pydantic validation to reject modifications to `is_superuser` in `UserUpdate` schema. - Updated backend logic in `users.py` to support defense-in-depth against privilege escalation. - Introduced comprehensive tests for `/users` and `/users/me` endpoints to ensure `is_superuser` validation works correctly. - Enhanced error handling and validation messages for better clarity and robustness.
2025-11-01 16:15:03 +01:00
parent a82e5ea0e6
commit d75a8de91b
4 changed files with 58 additions and 15 deletions
--- a/backend/app/api/routes/users.py
+++ b/backend/app/api/routes/users.py
@@ -146,10 +146,10 @@ async def update_current_user(
    Users cannot elevate their own permissions (is_superuser).
    """
    # Prevent users from making themselves superuser
-    # NOTE: UserUpdate schema doesn't include is_superuser, so this is dead code
-    if getattr(user_update, 'is_superuser', None) is not None:  # pragma: no cover
-        logger.warning(f"User {current_user.id} attempted to modify is_superuser field")  # pragma: no cover
-        raise AuthorizationError(  # pragma: no cover
+    # NOTE: Pydantic validator will reject is_superuser != None, but this provides defense in depth
+    if getattr(user_update, 'is_superuser', None) is not None:
+        logger.warning(f"User {current_user.id} attempted to modify is_superuser field")
+        raise AuthorizationError(
            message="Cannot modify superuser status",
            error_code=ErrorCode.INSUFFICIENT_PERMISSIONS
        )
@@ -266,10 +266,10 @@ async def update_user(
        )

    # Prevent non-superusers from modifying superuser status
-    # NOTE: UserUpdate schema doesn't include is_superuser, so this is dead code
-    if getattr(user_update, 'is_superuser', None) is not None and not current_user.is_superuser:  # pragma: no cover
-        logger.warning(f"User {current_user.id} attempted to modify is_superuser field")  # pragma: no cover
-        raise AuthorizationError(  # pragma: no cover
+    # NOTE: Pydantic validator will reject is_superuser != None, but this provides defense in depth
+    if getattr(user_update, 'is_superuser', None) is not None and not current_user.is_superuser:
+        logger.warning(f"User {current_user.id} attempted to modify is_superuser field")
+        raise AuthorizationError(
            message="Cannot modify superuser status",
            error_code=ErrorCode.INSUFFICIENT_PERMISSIONS
        )
--- a/backend/app/schemas/users.py
+++ b/backend/app/schemas/users.py
@@ -38,6 +38,7 @@ class UserUpdate(BaseModel):
    password: Optional[str] = None
    preferences: Optional[Dict[str, Any]] = None
    is_active: Optional[bool] = None  # Changed default from True to None to avoid unintended updates
+    is_superuser: Optional[bool] = None  # Explicitly reject privilege escalation attempts

    @field_validator('phone_number')
    @classmethod
@@ -52,6 +53,14 @@ class UserUpdate(BaseModel):
            return v
        return validate_password_strength(v)

+    @field_validator('is_superuser')
+    @classmethod
+    def prevent_superuser_modification(cls, v: Optional[bool]) -> Optional[bool]:
+        """Prevent users from modifying their superuser status via this schema."""
+        if v is not None:
+            raise ValueError("Cannot modify superuser status through user update")
+        return v
+

 class UserInDB(UserBase):
    id: UUID
--- a/backend/tests/api/test_user_routes.py
+++ b/backend/tests/api/test_user_routes.py
@@ -222,20 +222,22 @@ class TestUpdateCurrentUser:
        """Test that users cannot make themselves superuser."""
        headers = await get_auth_headers(client, async_test_user.email, "TestPassword123!")

-        # Note: is_superuser is not in UserUpdate schema, but the endpoint checks for it
-        # This tests that even if someone tries to send it, it's rejected
+        # Note: is_superuser is now in UserUpdate schema with explicit validation
+        # This tests that Pydantic rejects the attempt at the schema level
        response = await client.patch(
            "/api/v1/users/me",
            headers=headers,
            json={"first_name": "Test", "is_superuser": True}
        )

-        # Should succeed since is_superuser is not in schema and gets ignored by Pydantic
-        # The actual protection is at the database/service layer
-        assert response.status_code == status.HTTP_200_OK
+        # Pydantic validation should reject this at the schema level
+        assert response.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY
        data = response.json()
-        # Verify user is still not a superuser
-        assert data["is_superuser"] is False
+        assert data["success"] is False
+        assert "errors" in data
+        # Check that the error mentions is_superuser
+        error_fields = [err["field"] for err in data["errors"]]
+        assert "is_superuser" in error_fields

    @pytest.mark.asyncio
    async def test_update_profile_no_auth(self, client):
--- a/backend/tests/api/test_users.py
+++ b/backend/tests/api/test_users.py
@@ -112,6 +112,26 @@ class TestUpdateCurrentUser:
                    json={"first_name": "Updated"}
                )

+    @pytest.mark.asyncio
+    async def test_update_current_user_cannot_make_superuser(self, client, user_token):
+        """Test that users cannot make themselves superuser (Pydantic validation)."""
+        response = await client.patch(
+            "/api/v1/users/me",
+            headers={"Authorization": f"Bearer {user_token}"},
+            json={"is_superuser": True}
+        )
+
+        # Pydantic validation should reject this at the schema level
+        assert response.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY
+        data = response.json()
+        assert data["success"] is False
+        assert "errors" in data
+        # Check that the error mentions is_superuser
+        error_fields = [err["field"] for err in data["errors"]]
+        assert "is_superuser" in error_fields
+        error_messages = [err["message"] for err in data["errors"]]
+        assert any("superuser" in msg.lower() for msg in error_messages)
+
    @pytest.mark.asyncio
    async def test_update_current_user_value_error(self, client, user_token):
        """Test ValueError handling during update (covers lines 165-166)."""
@@ -168,6 +188,18 @@ class TestUpdateUserById:

        assert response.status_code == status.HTTP_404_NOT_FOUND

+    @pytest.mark.asyncio
+    async def test_update_user_by_id_non_superuser_cannot_change_superuser_status(self, client, async_test_user, user_token):
+        """Test non-superuser cannot modify superuser status (Pydantic validation)."""
+        response = await client.patch(
+            f"/api/v1/users/{async_test_user.id}",
+            headers={"Authorization": f"Bearer {user_token}"},
+            json={"is_superuser": True}
+        )
+
+        # Pydantic validation should reject this at the schema level
+        assert response.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY
+
    @pytest.mark.asyncio
    async def test_update_user_by_id_success(self, client, async_test_user, superuser_token):
        """Test updating user successfully (covers lines 276-278)."""