Merge pull request #1822 from CVEProject/af-1735

david-rocca · web-flow · commit 519d23215c08 · 2026-05-27T13:38:36.000-04:00
Resolves Issue #1735 and #1736, Preventing UUID changes on update requests
diff --git a/src/controller/registry-org.controller/registry-org.controller.js b/src/controller/registry-org.controller/registry-org.controller.js
@@ -294,6 +294,13 @@ async function updateOrg (req, res, next) {
 
         // Eventually we should validate this, but this is a bit tricky.
         if (reviewOrg) {
+          // For review objects, verify the provided UUID matches the target review object's UUID
+          const providedUUID = body?.UUID || body?.uuid
+          if (providedUUID && providedUUID !== reviewOrg.uuid) {
+            await session.abortTransaction()
+            return res.status(400).json(error.uuidProvided('org'))
+          }
+
           const updateResult = await reviewRepo.updateReviewOrgObject(body, reviewOrg.uuid, { session })
           if (updateResult) {
             updatedOrg = reviewOrg
@@ -307,6 +314,15 @@ async function updateOrg (req, res, next) {
         }
       }
 
+      // Verify that the provided UUID matches the existing organization's immutable database UUID
+      if (org) {
+        const providedUUID = body?.UUID || body?.uuid
+        if (providedUUID && providedUUID !== org.UUID) {
+          await session.abortTransaction()
+          return res.status(400).json(error.uuidProvided('org'))
+        }
+      }
+
       // Validate org
       const result = repo.validateOrg(body, { session })
       if (!result.isValid) {
diff --git a/src/controller/registry-user.controller/registry-user.controller.js b/src/controller/registry-user.controller/registry-user.controller.js
@@ -295,6 +295,19 @@ async function updateUser (req, res, next) {
     }
   }
 
+  // Allow existing UUIDs to be passed, but block any attempts to mutate them
+  if (userToEdit) {
+    if (body?.UUID || body?.uuid) {
+      if (body.UUID) body.UUID = userToEdit.UUID
+      if (body.uuid) body.uuid = userToEdit.UUID
+    }
+
+    if (body?.org_UUID || body?.org_uuid) {
+      if (body.org_UUID) body.org_UUID = userToEdit.org_UUID
+      if (body.org_uuid) body.org_uuid = userToEdit.org_UUID
+    }
+  }
+
   if (body.org_short_name && !isSecretariat) {
     logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
     return res.status(403).json(error.notAllowedToChangeOrganization())
