Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Escape user-supplied strings in URLs to prevent injection #211

Closed
wants to merge 1 commit into from
Closed

fix: Escape user-supplied strings in URLs to prevent injection #211

wants to merge 1 commit into from

Conversation

LewisW
Copy link
Contributor

@LewisW LewisW commented Jun 10, 2024
edited
Loading

Change Summary

Fixes #194 by escaping user-supplied strings in URLs. This fixes a potential vulnerability that gives a malicious actor the ability to delete parent collections by starting their ID with a hash (in cases where something user-supplied like a username, email etc. is used for the document ID/prefix).

It's also pretty common practice to use the # character in dynamodb keys, which is how we discovered this issue.

PR Checklist

jasonbosco
jasonbosco requested changes Jun 10, 2024
View reviewed changes
Copy link
Member

@jasonbosco jasonbosco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @LewisW.

To ensure that this doesn't break for existing users who might be URL encoding entity names / IDs themselves before passing them to Typesense, could you add a boolean configuration option when instantiating the library, called say urlEncodeEntityIDs: true | false and only URL encode when this flag is enabled?

@kopertop
Copy link
Contributor

Just to add a +1 here, this also breaks when IDs have a / in them.

I would suggest the default should be to do the URL encoding in the library, and if you need an explicit opt-out for backwards compatibility you could add that, but certainly the default should be to encode them in the library (for new users like myself).

phiHero added a commit to phiHero/typesense-js that referenced this pull request Aug 27, 2024
@phiHero
Build after resolving conflicts for typesense#211
2b44d9d
jasonbosco added a commit that referenced this pull request Aug 29, 2024
@jasonbosco
Merge pull request #226 from phiHero/pr211
a8b64ed 
Resolve conflicts for #211 (fix: Escape user-supplied strings in URLs to prevent injection)
@jasonbosco jasonbosco mentioned this pull request Aug 29, 2024
Merged
1 task
@jasonbosco
Copy link
Member

Thank you for the PR. We've moved the commits from this PR #226 to resolve conflicts and merged that PR in.

@jasonbosco jasonbosco closed this Aug 29, 2024
tharropoulos pushed a commit to tharropoulos/typesense-js that referenced this pull request Sep 5, 2024
@phiHero @tharropoulos
Build after resolving conflicts for typesense#211
d6bbffa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonbosco jasonbosco jasonbosco requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Deleting collections with special characters doesn't work
3 participants
@LewisW @kopertop @jasonbosco