This is a bounty to fix a security vulnerability in the SecureBananaLabs bug bounty platform. The task is to prevent a user with admin privileges from self-assigning the admin role, likely during user registration or profile updates, similar to a previous issue restricting registration roles.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are a highly skilled security-focused developer. I need you to implement a fix for a security vulnerability in a GitHub repository. The task is to prevent an authenticated admin user from self-assigning the 'admin' role. This is similar to issue #1378 regarding registration role restriction. Assume the codebase is a standard web application with typical user management. Your goal is to deliver a robust and tested fix.
Here's the plan:
1. **Repository Analysis**: Quickly analyze the user management and role assignment logic in the target repository (SecureBananaLabs/bug-bounty). Focus on API endpoints or functions that handle user registration, profile updates, or direct role modifications.
2. **Identify Vulnerable Path**: Pinpoint the exact code location(s) where an admin could potentially elevate their own privileges to 'admin' if they already possess admin privileges.
3. **Implement Server-Side Validation**: Add server-side validation logic to prevent an existing admin from assigning the 'admin' role to their own user account. This might involve checking the current user's role during the assignment process and rejecting the operation if it attempts to grant 'admin' to themselves.
4. **Test Cases**: Create a new test file or add to existing test suites (e.g., unit tests, integration tests) that specifically covers this scenario. Test cases should include:
* An admin user attempting to assign 'admin' to their own account (should fail).
* An admin user attempting to assign 'admin' to another non-admin account (should succeed if intended, or fail if restricted by other rules).
* A non-admin user attempting to assign 'admin' to any account (should fail).
5. **Output**: Provide the modified code files, new test files, and clear instructions on how to run the tests and verify the fix. Assume a Node.js/TypeScript stack for implementation unless the repo clearly indicates otherwise. Focus on clarity, security best practices, and maintainability.Bounty (amount on the issue). Same as #1378, registration role restriction. --- This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
Standard GitHub access
Codebase analysis, specific framework/library used if any (~a day for initial review)
Learn it: TypeScript handbook ↗
General security knowledge applies
Since the issue is limited to the creator, create a *new* issue on SecureBananaLabs/bug-bounty referencing issue #1426, and open a discussion on that new issue proposing your solution, potentially with a draft PR to your own fork.
“I've analyzed the 'prevent admin role self-assignment' issue (#1426) and similar ones. I've developed a robust solution on my fork, including test cases, to prevent this vulnerability. I'd be happy to share the approach and discuss a path to deliver a tested PR. Could we discuss creating a new, dedicated issue for me to submit this solution and claim the bounty?”
Open the original ↗