Abbreve icon indicating copy to clipboard operation
Abbreve copied to clipboard

Published 20 hours ago verified publisher icon Njong392

User input is not sanitize before making a request resulting to send all contents of db.json file.

Open reny-pacheco opened this issue 2 years ago • 8 comments

Description

User input is not sanitize before making a request. Adding ../db as form input results to send the whole content of db.json file.

I suggest to sanitize user input before sending a request.

Screenshots

image

Additional information

No response

reny-pacheco avatar Oct 12 '22 15:10 reny-pacheco

Yikes! This is a huge security issue. Do you want to be assigned to this @reny-pacheco ?

Njong392 avatar Oct 12 '22 15:10 Njong392

Yes, I like to work on this. Please assign to me.

reny-pacheco avatar Oct 12 '22 15:10 reny-pacheco

Sure thing. Assigned!

Njong392 avatar Oct 12 '22 16:10 Njong392

Hi @Njong392 , I already created a PR for this and its ready for review, Thanks. 😃

reny-pacheco avatar Oct 12 '22 17:10 reny-pacheco

Hello @Njong392 , @mathiasayivor , in relation to this issue, I found out that special characters in abbreviation is encoded when creating its .json file. And requesting s/o doesn't return its abbreviation.

Example: s/o ➡️ s%2Fo.json

Question: Is it advisable to allow contributors to add special characters to abbreviation?

reny-pacheco avatar Oct 15 '22 11:10 reny-pacheco

Hello @Njong392 , @mathiasayivor , in relation to this issue, I found out that special characters in abbreviation is encoded when creating its .json file. And requesting s/o doesn't return its abbreviation.

Example: s/o arrow_right s%2Fo.json

Question: Is it advisable to allow contributors to add special characters to abbreviation?

Yes, we definitely have to encode abbreviations with special characters, since those characters are not allowed as file names.

And yes, developers can encode abbreviations, but they must include mapping for the encoded version in the public/server/encodedAbbrMappings.json file.

Also, thanks for pointing this out, as I thought searching for encoded abbreviations was added after the last breaking change (#64) was merged Why don't you include this fix in #129?

mathiasayivor avatar Oct 15 '22 11:10 mathiasayivor

Also, thanks for pointing this out, as I thought searching for encoded abbreviations was added after the last breaking change (#64) was merged Why don't you include this fix in #129?

Based on my understanding, fetching of abbreviations goes directly to /db/<abbrev>.json which sometimes contain the encoded abbrev. Where is encodedAbbrMapppings.json used for? since the requested abbrev comes from /db/<abbrev>.json?

Also thanks for responding to my questions. 😃

reny-pacheco avatar Oct 15 '22 12:10 reny-pacheco

Also, thanks for pointing this out, as I thought searching for encoded abbreviations was added after the last breaking change (#64) was merged Why don't you include this fix in #129?

Based on my understanding, fetching of abbreviations goes directly to /db/<abbrev>.json which sometimes contain the encoded abbrev. Where is encodedAbbrMapppings.json used for? since the requested abbrev comes from /db/<abbrev>.json?

Also thanks for responding to my questions. smiley

The encodedAbbrMappings.json is to help us easily find the original version for encoded abbreviations.

mathiasayivor avatar Oct 15 '22 17:10 mathiasayivor