snitch icon indicating copy to clipboard operation
snitch copied to clipboard

Published 20 hours ago verified publisher icon tsoding

possible GitLab API injection attack

Open rexim opened this issue 6 years ago • 3 comments

introduced in #154

rexim avatar Sep 16 '19 12:09 rexim

Similar to #59

rexim avatar Sep 16 '19 12:09 rexim

https://github.com/tsoding/snitch/blob/72ba10cf8132634cb1406752ba6bd4f109d2a8ef/gitlab.go#L33-L37

Forgive me for my ignorance but what is the vulnerability? I would like to learn more about the possible API injection here.

aod avatar Jul 08 '20 10:07 aod

@aod Nothing serious here otherwise I'd fix it right away. It's rather about sanitizing user's input. That todo.ID always contains that thingie in the parenthesis of the TODO line, hence it's a user input:

//    todo.ID
//       |
//       v
// TODO(#69): rewrite this in Rust
// ...

So, if I do something like this in the codebase

// TODO(#path/to/undesirable/api/sub-endpoint/)

and then something like snitch purge, snitch will inject this subpath and try to perform unintended API call.

I don't see how it could be exploited right now, but I think it's important to at least acknowledge this in a form of an issue, 'cause due to later changes this could become exploitable for something.

rexim avatar Jul 08 '20 14:07 rexim