Add CAPTCHA verification to securityQuestion endpoint to prevent email enumeration attacks

[zeropath-ai-dev]

Summary

• The Vulnerability Description: The securityQuestion endpoint did not verify if requests included a valid CAPTCHA response, allowing attackers to automate email enumeration and discover which email addresses are registered in the system.
• This Fix: The patch introduces mandatory CAPTCHA verification on all requests to the securityQuestion endpoint, blocking automated enumeration and ensuring only legitimate human interaction is allowed.
• The Cause of the Issue: The endpoint previously returned information based solely on email presence, without any bot mitigation like CAPTCHA, leaving user enumeration open to automated attacks.
• The Patch Implementation: The fix adds a verifyCaptcha function, requires a CAPTCHA token on each request, validates the token before processing, and rejects any request missing or failing CAPTCHA verification with an appropriate error response.

Vulnerability Details

• Vulnerability Class: Natural Language Rule Violation
• Severity: 6.9
• Affected File: routes/securityQuestion.ts
• Vulnerable Lines: 11-32

Code Snippets

diff --git a/lib/verifyCaptcha.ts b/lib/verifyCaptcha.ts
new file mode 100644
index 000000000..e1cfeaa1a
--- /dev/null
+++ b/lib/verifyCaptcha.ts
@@ -0,0 +1,18 @@
+export async function verifyCaptcha(token: string): Promise<void> {
+  const secret = process.env.CAPTCHA_SECRET
+  if (!secret) {
+    throw new Error('Missing CAPTCHA secret configuration')
+  }
+  const response = await fetch(
+    'https://www.google.com/recaptcha/api/siteverify',
+    {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: `secret=${secret}&response=${token}`
+    }
+  )
+  const data: { success: boolean } = await response.json()
+  if (!data.success) {
+    throw new Error('Captcha verification failed')
+  }
+}
diff --git a/routes/securityQuestion.ts b/routes/securityQuestion.ts
index f780e8acf..514b6897c 100644
--- a/routes/securityQuestion.ts
+++ b/routes/securityQuestion.ts
@@ -7,11 +7,17 @@ import { type Request, type Response, type NextFunction } from 'express'
 import { SecurityAnswerModel } from '../models/securityAnswer'
 import { UserModel } from '../models/user'
 import { SecurityQuestionModel } from '../models/securityQuestion'
+import { verifyCaptcha } from '../lib/verifyCaptcha'
 
 module.exports = function securityQuestion () {
-  return ({ query }: Request, res: Response, next: NextFunction) => {
-    const email = query.email
-    SecurityAnswerModel.findOne({
+  return (req: Request, res: Response, next: NextFunction) => {
+    const email = req.query.email
+    const responseToken = req.query.captchaToken?.toString()
+    if (!responseToken) {
+      return res.status(400).json({ error: 'Missing CAPTCHA token' })
+    }
+    verifyCaptcha(responseToken).then(() => {
+      SecurityAnswerModel.findOne({
       include: [{
         model: UserModel,
         where: { email: email?.toString() }
@@ -28,6 +34,8 @@ module.exports = function securityQuestion () {
       }
     }).catch((error: unknown) => {
       next(error)
+    }).catch((error: Error) => {
+      res.status(403).json({ error: 'Invalid CAPTCHA token' })
     })
   }
 }

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai-dev bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai-dev!

To request modifications, please post a comment beginning with @zeropath-ai-dev and specify the changes required.

@zeropath-ai-dev will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_natural_language_rule_violation_1755145780737109

# if vscode is installed run (or use your favorite editor / IDE):
code routes/securityQuestion.ts

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_natural_language_rule_violation_1755145780737109