From e78af42b3c979ea10a0a3bbd049041fcf27031bd Mon Sep 17 00:00:00 2001
From: Thorsten Eckel <te@zammad.com>
Date: Wed, 12 Feb 2020 15:25:31 +0100
Subject: [PATCH] Enhancement: Limit data send back to the browser for valid
 session.

---
 .../application_model/can_associations.rb     |  4 +--
 lib/session_helper.rb                         |  2 +-
 spec/requests/session_spec.rb                 | 27 +++++++++++++++++++
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/app/models/application_model/can_associations.rb b/app/models/application_model/can_associations.rb
index 95f55f7ce..0cb97fde8 100644
--- a/app/models/application_model/can_associations.rb
+++ b/app/models/application_model/can_associations.rb
@@ -236,9 +236,7 @@ returns
 
   def filter_attributes(attributes)
     # remove forbidden attributes
-    %w[password token tokens token_ids].each do |item|
-      attributes.delete(item)
-    end
+    attributes.except!('password', 'token', 'tokens', 'token_ids')
   end
 
 =begin
diff --git a/lib/session_helper.rb b/lib/session_helper.rb
index ce1e41774..0bfea263d 100644
--- a/lib/session_helper.rb
+++ b/lib/session_helper.rb
@@ -3,7 +3,7 @@ module SessionHelper
     collections, assets = default_collections(user)
 
     {
-      session:     user,
+      session:     user.filter_attributes(user.attributes),
       models:      models(user),
       collections: collections,
       assets:      assets,
diff --git a/spec/requests/session_spec.rb b/spec/requests/session_spec.rb
index c90981075..84f560676 100644
--- a/spec/requests/session_spec.rb
+++ b/spec/requests/session_spec.rb
@@ -2,6 +2,33 @@ require 'rails_helper'
 
 RSpec.describe 'Sessions endpoints', type: :request do
 
+  describe 'GET /signshow' do
+
+    context 'user logged in' do
+
+      subject(:user) { create(:agent_user, password: password) }
+
+      let(:password) { SecureRandom.urlsafe_base64(20) }
+      let(:fingerprint) { SecureRandom.urlsafe_base64(40) }
+
+      before do
+        params = {
+          fingerprint: fingerprint,
+          username:    user.login,
+          password:    password
+        }
+        post '/api/v1/signin', params: params, as: :json
+      end
+
+      it 'leaks no sensitive data' do
+        params = { fingerprint: fingerprint }
+        get '/api/v1/signshow', params: params, as: :json
+
+        expect(json_response['session']).not_to include('password')
+      end
+    end
+  end
+
   describe 'GET /auth/sso (single sign-on)' do
     context 'with invalid user login' do
       let(:login) { User.pluck(:login).max.next }