Unprotected Admin Route in drawRaffle Function with N+1 Query Problem Leads to Potential DoS Attack

[huajie-zhong]

I have made an effort to find a private channel for reporting this vulnerability but was unable to locate one. This issue is being reported in good faith to help the team improve the project's security and stability. No systems were exploited or harmed, and no sensitive data was accessed or exfiltrated.

In https://github.com/cornell-dti/cureviews/blob/main/server/src/admin/admin.controller.ts#L523C34-L523C39, the route exposes this function appears to be intended for administrative use, but it lacks any authentication or authorization checks, allowing it to be triggered by any user.

There is also another major vulnerability due to its inefficient implementation that made it extremely dangerous and feasible to attack.
The function's logic iterates through a list of reviews and, for each one, executes another database query (getCourseReviews). There is a N+1 query problem. If findReviewsByDate returns 1000 reviews, it will end up making 1 initial query + 1000 additional queries to the database.

A malicious actor can easily exploit this. By calling the function with a start date far in the past, they can force the system to process a huge number of reviews. This, in turn, triggers a massive number of subsequent database queries inside the loop. For example, it takes around 10 second for the backend server to respond to this route, Indicating the heavy workload done behind the scene.

This could lead to Denial of Service when large number simultaneously request hits the server. Given that this can be triggered by an unauthenticated party with minimum cost to attack, it presents a serious potential attack vector.

I've been amazed by the talent at DTI and wish to point this out to help make the project better. There are also several similar severity issues in this product and other DTI projects, and I plan to write up issues for them as time allows.

Disclaimer: I have not and will not use this route for attacking the product or other issues to attack any other products by DTI.

[mjaydenkim]

Thank you so much for bringing this to our attention -- we appreciate your help ❤️!!! For now, I've opened up a couple of pull requests (one with just the admin check so it can get pushed ASAP, another with the N+1 fix that will get tested first), I'm waiting on a review of the code later tonight then the issue should be handled. Thank you very much again.