rust-cookbook icon indicating copy to clipboard operation
rust-cookbook copied to clipboard

Published 20 hours ago verified publisher icon rust-lang-nursery

Unreliable URL formatting

Open SOF3 opened this issue 5 years ago • 2 comments
trafficstars

In the example https://rust-lang-nursery.github.io/rust-cookbook/web/clients/apis.html#query-the-github-api, URL fragments are interpolated using format!(), which is insensitive to URL formats. This would result in issues when the user input contains invalid characters (such as spaces), or even lead to security vulnerabilities if the method is POST and parameters contain slashes.

SOF3 avatar Jun 04 '20 10:06 SOF3

I think a good solution to this is to include a footer to the recipe that links to the percent encoding recipe https://rust-lang-nursery.github.io/rust-cookbook/encoding/strings.html#percent-encode-a-string What do you think?

AndyGauge avatar Jun 04 '20 14:06 AndyGauge

That seems to solve the issue of getting spaces in URLs. But what about slashes? Some validation might be preferable, otherwise people reading these examples might introduce sec vulns in the future. I'm not sure about how much cookbook cares about validation/security so idk if this needs to be fixed.

SOF3 avatar Jun 05 '20 05:06 SOF3