`SantasList::checkList()` is missing the `SantasList::onlySanta` modifier giving anyone the opportunity to change `Status`
Summary
The SantasList::checkList() function is utilized by Santa to conduct a first pass on individuals, determining whether they fall under the "naughty" or "nice" category. Consequently, it is imperative that only Santa has the authority to invoke this function, and access should be restricted from everyone else.
Vulnerability Details
The absence of the onlySanta modifier in the SantasList::checkList() function allows anyone to call the function without restriction. To rectify this vulnerability, the SantasList::onlySanta modifier should be incorporated into the SantasList::checkList() function, ensuring that only Santa can perform this crucial action.
Impact
The current state of the SantasList::checkList() function permits unrestricted access, enabling anyone to invoke the external function and modify the status of themselves or others. This poses a significant security risk as it compromises the integrity of the list, allowing unauthorized individuals to influence the evaluation of naughty or nice status.
Tools Used
Manual review.
Recommendations
It is recommended to implement the following changes in the `SantasList::checkList() function signature:
By incorporating the onlySanta modifier, access to the SantasList::checkList() function will be restricted to Santa alone, mitigating the potential risks associated with unauthorized modifications to the list.
Lead Judging Commences
Access Control on checkList()
Anyone is able to call checkList() changing the status of a provided address. This is not intended functionality and is meant to be callable by only Santa.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.