Privilege Escalation Fix

[chasebowman-contrast]

Pull Request check-list

To ensure your Pull Request can be accepted as fast as possible, make sure to review and check all of these items:

• If your changes affects code, did your write the tests?
• [ x] Are tests passing? (npm test on both front/server)
• [ x] Is the linter passing? (npm run eslint on both front/server)
• [ x] Did you run prettier? (npm run prettier on both front/server)
• If you are adding a new features/services, did you run integration comparator? (npm run compare-translations on front)
• Did you test this pull request in real life? With real devices? If this development is a big feature or a new service, we recommend that you provide a Docker image to the community (french forum/english forum) for testing before merging.
• If your changes modify the API (REST or Node.js), did you modify the API documentation? (Documentation is based on comments in code)
• If you are adding a new features/services which needs explanation, did you modify the user documentation? See the GitHub repo and the website.
• Did you add fake requests data for the demo mode (front/src/config/demo.js) so that the demo website is working without a backend? (if needed) See https://demo.gladysassistant.com.

NOTE: these things are not required to open a PR and can be done afterwards / while the PR is open.

Description of change

This is a quick fix for a privilege escalation vulnerability reported privately through the security.md process.
The /api/v1/me endpoint is called when updating/saving a users profile. This endpoints route handling is vulnerable to mass assignment which means, changing the role parameter from “user” to “admin” while submitting a save profile request will change your role to admin. This lets you have full control to the Gladys and could even kick out the original administrator. This fix is to delete the role parameter before passing it to the update function. A more robust solution in the future will be to use options.fields from here https://sequelize.org/api/v6/class/src/model.js~model#static-method-update to allowlist what fields can be updated.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.48%. Comparing base (269d31a) to head (73e74e9).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2115   +/-   ##
=======================================
  Coverage   98.48%   98.48%           
=======================================
  Files         867      867           
  Lines       14171    14172    +1     
=======================================
+ Hits        13956    13957    +1     
  Misses        215      215           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[relativeci]

#2727 Bundle Size — 10.19MiB (0%).

73e74e9(current) vs 269d31a master#2726(baseline)

Warning

Bundle contains 3 duplicate packages – View duplicate packages

Bundle metrics  no changes

	Current #2727	Baseline #2726
Initial JS	5.5MiB	5.5MiB
Initial CSS	303.12KiB	303.12KiB
Cache Invalidation	0%	53.84%
Chunks	51	51
Assets	171	171
Modules	1490	1490
Duplicate Modules	21	21
Duplicate Code	0.83%	0.83%
Packages	124	124
Duplicate Packages	3	3

Bundle size by type  no changes

	Current #2727	Baseline #2726
JS	7.28MiB	7.28MiB
IMG	2.48MiB	2.48MiB
CSS	319.91KiB	319.91KiB
Fonts	93.55KiB	93.55KiB
Other	17.62KiB	17.62KiB
HTML	13.58KiB	13.58KiB

Bundle analysis report Branch chasebowman-contrast:master Project dashboard

---

^{Generated by RelativeCI Documentation Report issue}

[chasebowman-contrast]

@Pierre-Gilles - Opening a PR per our Email Conversation