Duplicate user check: missing input validation for check_type

[Nixxx19]

p5.js version

No response

What is your operating system?

None

Web browser and version

No response

Actual Behavior

duplicateUserCheck uses req.query.check_type as both the key to read the value (req.query[checkType]) and as valueType for findByEmailOrUsername, with no validation. Sending check_type=__proto__ or constructor can lead to prototype pollution or unexpected behavior.

Location: server/controllers/user.controller/signup.ts lines 98–100

Expected Behavior

check_type should be validated to be exactly 'email' or 'username'. Any other value should return 400 with a clear error.

Steps to reproduce

Steps:

1. Call GET /editor/signup/duplicate_check?check_type=__proto__ (or check_type=constructor).
2. Observe server uses that value as query key and as valueType; no validation error.
3. Compare with valid call: GET /editor/signup/duplicate_check?check_type=email&email=test@example.com.

Snippet:

// signup.ts - duplicateUserCheck
const checkType = req.query.check_type;
const value = req.query[checkType];  // no whitelist
const options = { caseInsensitive: true, valueType: checkType };
const user = await User.findByEmailOrUsername(value!, options);

[Nixxx19]

Hi @raclim!
I'd love to work on this issue and submit the fix for it. I'll whitelist check_type to 'email' or 'username' and return 400 for any other value.

[Nixxx19]

Thank you @raclim for assigning this issue. I've created PR #3967 with the fix. Apologies for the delay, the PR adds validation to prevent prototype pollution by whitelisting check_type values.