PostgreSQL Function Flaw Enables Students to Forge Fake Mock Exam Sessions, Bypass Time Limits

A critical access control flaw in the `start_quiz_session` PostgreSQL function permits students to bypass exam integrity safeguards by injecting the `mock_exam` mode parameter. The function writes `p_mode` directly into `quiz_sessions.mode` without validating the mode against caller privileges, creating exam records that lack critical metadata like `time_limit_seconds` and `pass_mark`. This vulnerability stems from the function's trust in client-supplied input rather than enforcing server-side authorization checks, allowing any authenticated student to masquerade quiz sessions as officially sanctioned assessments.

The flaw specifically targets the `mock_exam` mode, which normally requires validation through `start_exam_session`. By calling `start_quiz_session` with `p_mode := 'mock_exam'`, an attacker can circumvent safeguards that validate exam configurations, control question distribution, and enforce time constraints. The resulting sessions appear legitimate in queries filtering by `mode = 'mock_exam'`, but contain none of the integrity markers—`started_at` defaults instead of recording actual exam start, and no `internal_exam_code` is consumed. This creates a shadow exam system within the legitimate platform where students control both question selection and timing.

The implications extend beyond individual academic dishonesty. Instructors relying on `quiz_sessions.mode = 'mock_exam'` for progress tracking or grade reconciliation will encounter phantom records that don't correspond to actual exam attempts, skewing analytics and potentially inflating performance metrics. The absence of `time_limit_seconds` means these fake sessions won't auto-expire, remaining accessible indefinitely unless manually purged. Database integrity monitoring tools may flag the anomalous `config` JSONB structures as data quality issues, but without understanding the root cause, remediation efforts could misfire. Immediate patching should implement a whitelist of valid modes per caller role, separating student-accessible quiz types from privileged exam creation operations.