Security: Form body parameter injection in getImsAdminProfile

## Summary

`getImsAdminProfile` in `spacecat-shared-ims-client` constructs a `application/x-www-form-urlencoded` POST body via string concatenation without URL-encoding the `guid` or `authSource` values. This allows form body parameter injection if the caller passes unsanitized user input.

## Location

`packages/spacecat-shared-ims-client/src/clients/ims-client.js` - around line 357:

```javascript
const formBody = `guid=${guid}&client_id=${this.config.clientId}&auth_src=${authSource}`;
```

The `guid` and `authSource` come from `extractGuidAndAuthSource` in `utils.js` (line ~69), which does a bare `split('@')` with no validation or encoding:

```javascript
const [guid, authSource] = imsId.split('@');
```

## Attack Scenario

If a caller passes user-controlled input (e.g., from a Slack command or API parameter), an attacker can inject additional form parameters:

- Input: `fakeGuid&client_id=malicious_client@AdobeOrg`
- After `split('@')`: `guid = "fakeGuid&client_id=malicious_client"`, `authSource = "AdobeOrg"`
- Resulting form body: `guid=fakeGuid&client_id=malicious_client&client_id=<real_client_id>&auth_src=AdobeOrg`

Depending on how the IMS server handles duplicate parameters (first-wins vs last-wins), the attacker could override `client_id` or inject arbitrary parameters into an authenticated server-to-server request bearing a service access token.

## Impact

- This is a form parameter pollution / HTTP parameter tampering vulnerability
- The request is authenticated with a service access token (admin-profile-read scope), so injected parameters ride on elevated credentials
- Affects all callers of `getImsAdminProfile`, not just a specific command
- Practical exploitability depends on IMS server-side parsing behavior, but the vulnerability exists in the code path regardless

## Recommended Fix

Use `URLSearchParams` instead of string concatenation:

```javascript
const params = new URLSearchParams();
params.set('guid', guid);
params.set('client_id', this.config.clientId);
params.set('auth_src', authSource);
const formBody = params.toString();
```

This automatically URL-encodes all values, preventing parameter injection.

Additionally, `extractGuidAndAuthSource` should validate the input format before splitting:

```javascript
const IMS_ID_PATTERN = /^[A-Za-z0-9]+@[A-Za-z0-9]+$/;
if (!IMS_ID_PATTERN.test(imsId)) {
  throw new Error(`Invalid IMS ID format: expected GUID@AuthSource`);
}
```

## Found During

Security review of [adobe/spacecat-api-service#1814](https://github.com/adobe/spacecat-api-service/pull/1814)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Form body parameter injection in getImsAdminProfile #1352

Summary

Location

Attack Scenario

Impact

Recommended Fix

Found During

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: Form body parameter injection in getImsAdminProfile #1352

Description

Summary

Location

Attack Scenario

Impact

Recommended Fix

Found During

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions