Fix Mass Assignments in Leads Endpoint

[christopherholland-workday]

Overview

The endpoint uses Object.assign() to copy all properties from the request body to the Lead entity without any input validation or field filtering. This allows attackers to bypass auto-generated fields and inject arbitrary values.

This PR allows only the fields that are user controlled to be user controlled ('chatflowid', 'name', 'email', 'phone').

Testing

Ran the same curl requests that exposed the issue and ensured that the fields like id and createdDate were generated by the code and not overridden by the request.

Example 1: id

Request:

curl -X POST http://localhost:3000/api/v1/leads \
-H "Content-Type: application/json" \
-d '{ "chatflowid": "attacker-chatflow-456", "name": "Attacker", "email": "attacker@evil.com", "phone": "555-EVIL", "id": "nah-nah-nah" }'

Result (id was not taken from request):                         
{"name":"Attacker","email":"attacker@evil.com","phone":"555-EVIL","chatflowid":"attacker-chatflow-456","chatId":"865b3723-3486-4605-9c76-ebd6b16a96d8","id":"bb39625f-d9a6-49de-888c-c0f2f0ded6db","createdDate":"2026-01-22T23:32:03.000Z"}% 

Example 2: createdDate

Request:

curl -X POST http://localhost:3000/api/v1/leads \
-H "Content-Type: application/json" \
-d '{ "chatflowid": "timestamp-test-789", "name": "Time Traveler", "email": "timetraveler@evil.com", "createdDate": "1970-01-01T00:00:00.000Z" }'

Result (createdDate was not taken from request)
{"name":"Time Traveler","email":"timetraveler@evil.com","chatflowid":"timestamp-test-789","chatId":"5c9a31e1-19e4-4887-b122-2f3bc6b01d26","id":"c0c97fd6-0eea-4f9d-b387-ff9b9cbc0df9","createdDate":"2026-01-22T23:38:02.000Z"}

Previously, the id and createdDate value would've been taken from the requests

[gemini-code-assist]

Summary of Changes

Hello @christopherholland-workday, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a critical security fix to the Leads endpoint by preventing mass assignment. It refactors the lead creation logic to explicitly whitelist which fields from the incoming request body can be used to populate a new Lead entity. This change safeguards against malicious or accidental overwriting of system-controlled attributes, thereby enhancing the application's data integrity and security posture.

Highlights

• Security Enhancement: Addressed a mass assignment vulnerability in the Leads endpoint by implementing a whitelist for fields copied from the request body.
• Data Integrity: Ensured that sensitive or auto-generated fields like 'id' and 'createdDate' cannot be overridden by user input, protecting against unauthorized data manipulation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly resolves a critical mass assignment vulnerability in the leads endpoint by introducing a whitelist of permissible fields. The approach is sound and effectively prevents attackers from overwriting system-generated fields. My review includes a minor suggestion for improving code style and maintainability. The provided rule regarding authorization checks for internal/external APIs does not apply to this specific comment.

[gemini-code-assist]

This logic correctly filters the properties from the request body, fixing the vulnerability. For improved performance and code organization, consider defining allowedFields as a constant at the module level, outside the createLead function. This prevents the array from being recreated on every function call.

Additionally, while the for...of loop is perfectly fine, I'm suggesting a minor refactor to use forEach and a more common type assertion style, which can be slightly more declarative.

Suggested change

	const allowedFields: (keyof ILead)[] = ['chatflowid', 'name', 'email', 'phone']
	for (const field of allowedFields) {
	if (body[field] !== undefined) {
	newLead[field] = body[field] as any
	}
	}
	const allowedFields: (keyof ILead)[] = ['chatflowid', 'name', 'email', 'phone'];
	allowedFields.forEach(field => {
	if (body[field] !== undefined) {
	(newLead as any)[field] = body[field];
	}
	});