Reddit.NET icon indicating copy to clipboard operation
Reddit.NET copied to clipboard

Published 20 hours ago verified publisher icon sirkris

Security vulnerability detected in RestSharp dependency

Open sirkris opened this issue 3 years ago • 4 comments

I've received a pair of Dependabot alerts for a high-severity security vulnerability discovered in RestSharp, the library used by Reddit.NET to interface with the Reddit API. The recommended remediation is to update RestSharp to the latest version.

Here's the advisory:

https://github.com/advisories/GHSA-9pq7-rcxv-47vq

I apologize for not noticing this sooner (the alert went out in July). Given the severity, I'll be releasing a hotfix shortly to correct this. I've got a lot of personal stuff going on right now but I'll get this out as soon as I can. Fortunately, it doesn't look like this is likely to affect any Reddit.NET apps since this vulnerability only becomes a problem if the server you're querying sends back a malicious response, which I suspect is highly unlikely to occur with the Reddit API, so we should be good here.

Thank you for your patience.

EDIT: Decided not to bother with a hotfix since this doesn't actually affect the library and I haven't received any complaints. So instead I'll just put this in the upcoming 1.6 release.

sirkris avatar Oct 12 '21 22:10 sirkris

Migration is proving to be much more of a pain in the ass than anticipated. This newer version is riddled with BC-breaking changes with little to no migration documentation to help. The RestSharp docs are suggesting code that throws exceptions so I'm currently looking toward other sources for help.

sirkris avatar Jun 23 '22 20:06 sirkris

RestSharp really did a number on RestRequest.AddFile. I got all the exceptions taken care of, but now the Reddit API is rejecting the request because it says the image data is invalid. Same endpoint works perfectly fine when using the old RestSharp version. The byte[] data does appear to be attached to the RestRequest but in a different place; the structure of RestRequest seems to have also been updated.

So I'm thinking this is an issue with how AddFile is attaching the file data. Somehow, this is causing the Reddit API to be unable to read the data (not sure if it's coming in corrupted or empty or what).

Created an issue on their tracker:

https://github.com/restsharp/RestSharp/issues/1881

sirkris avatar Jul 01 '22 18:07 sirkris

No update on the RestSharp ticket yet. If I don't get a response with a workable solution in the next few days, I'll go ahead and push this migration back to the 1.7 release.

sirkris avatar Jul 05 '22 19:07 sirkris

I was trying to retrieve subreddits’ banners and it was returning null. Is it related to this?

eduardobragaxz avatar Jul 27 '22 12:07 eduardobragaxz