Avatar upload lets one user overwrite another’s profile image: /member/imgaeUpload accepts userId and token but never verifies that the token belongs to that user before updating DB records, so any authenticated user can change another user’s avatar.
public Result<Object> imgaeUpload(@RequestBody CommonDto common){
String imgPath = memberService.imageUpload(common.getUserId(),common.getToken(),common.getImgData());
return new ResultUtil<Object>().setData(imgPath);
} public String imageUpload(Long userId,String token,String imgData) {
TbMember tbMember=tbMemberMapper.selectByPrimaryKey(userId);
// updates the target record with no token/userId consistency check
tbMemberMapper.updateByPrimaryKey(tbMember);
Member member=loginService.getUserByToken(token);
member.setFile(imgPath);
jedisClient.set("SESSION:" + token, new Gson().toJson(member));
return imgPath;
}
Avatar upload lets one user overwrite another’s profile image:
/member/imgaeUploadacceptsuserIdandtokenbut never verifies that the token belongs to that user before updating DB records, so any authenticated user can change another user’s avatar.