mengww
mengww
Hi, i played a bit with the project and noticed one potential issue. In this [function](https://github.com/ml-tooling/opyrator/blob/3f443f05b6b21f00685c2b9bba16cf080edf2385/src/opyrator/ui/streamlit_ui.py#L242), the mime type could be manipulated by remote user, hence he could upload any...
**Describe the bug** FastAPI username and password are directly logged. It could be a potential security issue as described in [CWE-532](https://cwe.mitre.org/data/definitions/532.html) in [code](https://github.com/ebhy/budgetml/blob/4667c77662125e63ef0733e81743bde6959f7339/budgetml/main.py#L506) **To Reproduce** launch_local **Expected behavior** Redacted the...
Hello, While trying the tool, I find that the uploading file functionality relies on using the user-provided filename extension which could be a security issue as described in CWE-646: Reliance...
Hello, An attacker could know what are the projects exist by simply brute-force checking `localhost:8080/testproject`. If the returned page is authenticator then he knows the project exist as if the...
Hello, While playing with the tool, I noticed that sensitive information like wordpress password will be logged which could be a potential security issue described in [CWE-200](https://cwe.mitre.org/data/definitions/200.html). The problematic code...
Hello, In the code [here](https://github.com/WordOps/WordOps/blob/ecf20192c7853925e2cb3f8c8378cd0d86ca0d62/wo/cli/plugins/stack_pref.py#L77), the `conf_path` file priviledge is changed after the creation and data writing. A malicious attacker could perform TOCTOU attack to read/write the data before the...
### Context In [code](https://github.com/nebari-dev/nebari/blob/5463e8df9e8d53a266a7b9d3d4e27353ec43c40b/src/_nebari/deploy.py#L71), username and password is directly printed. It is a potential informaiton leakage issue as described in [CWE-532](https://cwe.mitre.org/data/definitions/532.html) ### Value and/or benefit Removing password could reduce the...
The robot is interesting and I found a few potential security issue while reading the source code. In code [here](https://github.com/wzpan/wukong-robot/blob/a68ac57237a7446d609fdfafa34d99e24e5fbcc1/robot/ASR.py#L224), `openai_api_key` is directly printed, this could potentially leak the key...
In the source code, sensitive informaiton like `api_key` is inserted into the log. It is a potential security issue as bescribed in [cwe-532](https://cwe.mitre.org/data/definitions/532.html). The `api_key` could be redacted. The leakage...
**Describe the bug** In code [here](https://github.com/HumanSignal/label-studio/blob/a0b30e92e0d677143f85bc3c6eb8030cf1bf14d9/label_studio/data_import/uploader.py#L61), it uses the user provided file name. It might be bypassed by manipulating the file extension. Using methods like checking magic code instead of...