From 195c9bd81f88a87de5a11da84d1495acdbeb3b6a Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Sun, 22 Nov 2020 21:42:08 -0800
Subject: [PATCH] check the type of userIds array

---
 src/routes/groups.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/routes/groups.js b/src/routes/groups.js
index 493c1f3ec..65ec092cc 100644
--- a/src/routes/groups.js
+++ b/src/routes/groups.js
@@ -62,6 +62,7 @@ function updateMembers(req, res, next) {
 
     if (!req.body.userIds) return next(new HttpError(404, 'missing or invalid userIds fields'));
     if (!Array.isArray(req.body.userIds)) return next(new HttpError(404, 'userIds must be an array'));
+    if (req.body.userIds.some((u) => typeof u !== 'string')) return next(new HttpError(400, 'userIds array must contain strings'));
 
     groups.setMembers(req.params.groupId, req.body.userIds, function (error) {
         if (error) return next(BoxError.toHttpError(error));