fix: prevent mass assignment of userId in updateTask

[vipul674]

Description

Fixes a mass assignment vulnerability in backend/controllers/taskController.js where raw req.body was passed directly into MongoDB's $set operator, allowing an authenticated user to overwrite protected fields like userId and reassign tasks to other users.

The fix destructures userId and _id out of req.body before passing the remaining safe fields to the update operation.

Difficulty & Label Request

• Assessed difficulty: level:beginner
• Maintainer: please apply the level:beginner label if this assessment is appropriate, so this contribution is scored correctly under GSSoC 2026 guidelines.
• Maintainer: please also apply the gssoc:approved label after review so this PR earns its base GSSoC points.
• Maintainer: please also apply the quality:clean or quality:exceptional label after review. Thank you!

Type

• Bug fix

Testing & Verification

• Code logic verified — userId and _id are stripped from update payload
• Legitimate update fields (title, description, status, tags, priority, dueDate) still pass through
• Existing title length validation still works on safe updates

GSSoC 2026 Compliance & Transparency

• AI Assistance Disclosure: AI assistance was used to develop this solution. All generated logic has been audited, verified, and locally tested by me to meet project standards.
• Closes fix: mass assignment vulnerability in updateTask allows userId overwrite #1373

[vipul674]

@aryandas2911 Please review and let me know for any changes.

[vipul674]

TDD Verification Report

@aryandas2911 (maintainer)

Check	Result
RED	✅ userId leaks into $set without fix
GREEN	✅ Destructuring strips userId and _id
Full suite	✅ 6/6 passing

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes — fix verified correct.