mappersmith icon indicating copy to clipboard operation
mappersmith copied to clipboard
verified publisher icon tulios

Unlikly but possible data leakage

Open NVolcz opened this issue 7 years ago • 0 comments

Inserting dynamic parameters is currently done with loop + regexp + string.replace this can cause data leakage under certain circumstances.

The fix would be to use a replace callback, something like this:

  path = path.replace(new RegExp('{([^}]+)}', 'g'), function(match, prop) {
    return params[prop]; // perhaps URL encode too
    // perhaps throw error if property does not exist
  });

NVolcz avatar Aug 23 '18 15:08 NVolcz