typesense-js icon indicating copy to clipboard operation
typesense-js copied to clipboard
verified publisher icon typesense

fix: Escape user-supplied strings in URLs to prevent injection

Open LewisW opened this issue 1 year ago • 1 comments

Change Summary

Fixes #194 by escaping user-supplied strings in URLs. This fixes a potential vulnerability that gives a malicious actor the ability to delete parent collections by starting their ID with a hash (in cases where something user-supplied like a username, email etc. is used for the document ID/prefix).

It's also pretty common practice to use the # character in dynamodb keys, which is how we discovered this issue.

PR Checklist

LewisW avatar Jun 10 '24 14:06 LewisW

Just to add a +1 here, this also breaks when IDs have a / in them.

I would suggest the default should be to do the URL encoding in the library, and if you need an explicit opt-out for backwards compatibility you could add that, but certainly the default should be to encode them in the library (for new users like myself).

kopertop avatar Jun 25 '24 20:06 kopertop

Thank you for the PR. We've moved the commits from this PR #226 to resolve conflicts and merged that PR in.

jasonbosco avatar Aug 29 '24 03:08 jasonbosco