WISVCH / events

Registration for CH events (lectures, workshops, excursions, ...)
https://ch.tudelft.nl/events/
7 stars 10 forks source link

Ticket scanner data leak #355

Closed JoepdeJong closed 2 years ago

JoepdeJong commented 2 years ago

Describe the bug I noticed that the response of a ticket scanner request leaks user data and ticket sale information data when scanning a valid ticket.

For example events/api/v1/sales/scan/event/{barcode}/barcode returns this response:

    "status": "208 ALREADY_REPORTED",
    "timestamp": "************T16:22:59.222805",
    "message": "Ticket has already been scanned",
    "object": {
        "ticket": {
            "id": 11,
            "key": "e3e35f29-4f1d-47fc-****-*****",
            "order": {
                "id": 10,
                "publicReference": "******-48b9-41f4-****-*****",
                "owner": {
                    "id": 1,
                    "key": "******-fc5f-4f36-88cc-*****",
                    "sub": "WISVCH.*****",
                    "name": "Joep",
                    "email": "joe*******@*****",
                    "rfidToken": "",
                    "verifiedChMember": ****,
                    "ldapGroups": [
                        "****"
                    ],
                    "createdAt": "********T20:52:51.736"
                },
                "amount": 0.0,
                "orderProducts": [
                    {
                        "id": 9,
                        "product": {
                            "id": 3,
                            "key": "8a2815dc-e699-****-****",
                            "title": "****",
                            "description": "****",
                            "cost": ***.***,
                            "sold": ***,
                            "reserved": 0,
                            "maxSold": *,
                            "maxSoldPerCustomer": *,
                            "sellStart": "********.T21:06:00",
                            "sellEnd": "*********T12:00:00",
                            "products": [],
                            "linked": ***,
                            "chOnly": ***,
                            "reservable": ***
                        },
                        "price": ***,
                        "amount": ***,
                    }
                ],
                "createdBy": "events-webshop",
                "createdAt": "******T16:08:08.385",
                "paidAt": null,
                "status": "PAID",
                "paymentMethod": "OTHER",
                "ticketCreated": false,
                "chPaymentsReference": null
            },
            "owner": {
                "id": 1,
                "key": "ea4e4fe1-fc5f-4f36-************",
                "sub": "WISVCH.******",
                "name": "Joep",
                "email": "joep************",
                "rfidToken": "",
                "verifiedChMember": ******,
                "ldapGroups": [
                    "******"
                ],
                "createdAt": "************T20:52:51.736"
            },
            "product": {
                "id": 3,
                "key": "8a2815dc-e699-4d2a-************",
                "title": "TEST",
                "description": "******",
                "cost": 0.0,
                "sold": 0,
                "reserved": 0,
                "maxSold": 5,
                "maxSoldPerCustomer": 1,
                "sellStart": "************T21:06:00",
                "sellEnd": "************T12:00:00",
                "products": [],
                "linked": true,
                "chOnly": false,
                "reservable": true
            },
            "uniqueCode": "************",
            "status": "SCANNED",
            "valid": true
        }
    }
}

To Reproduce

  1. Go to wisv.ch/events/sales/scan
  2. Select an event
  3. Scan a valid ticket
  4. Check response

Expected behavior I expected no user data or ticket sale data to be returned.