hackmdio/codimd

exportAllNotes should use POST method for security

Open

#1 687 ouverte le 23 mai 2021

Voir sur GitHub
 (14 commentaires) (0 réactions) (0 assignés)JavaScript (8 949 stars) (1 038 forks)batch import
good first issuesecurity

Description

👋 Hello, we've received a report for a potential high severity security issue in your repository.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-hackmdio/codimd for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community.

Confused or need more help?

  • Join us on our Discord and a member of our team will be happy to help! 🤗

  • Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

Guide contributeur

Stack technique
javascriptnodejsexpress
Domaine
backendsecurity
Type d'issue
security
DifficultéDifficulté estimée pour un nouveau contributeur, de 1 pour un très petit changement à 5 pour un travail expert.
2
Temps estiméFourchette de temps approximative pour investiguer, implémenter, tester et préparer une pull request.
1-3 hours
Statut d'activitéDisponibilité apparente de l'issue : fraîche, active, ancienne, bloquée ou en attente d'un mainteneur.
stale
ClartéClarté avec laquelle l'issue explique le changement attendu, les critères d'acceptation et la prochaine étape.
mostly clear
Prérequis
familiarity with Express routesunderstanding of HTTP methodsbasic JavaScript
Accessibilité débutantScore de 1 à 100 estimant l'accessibilité de cette issue pour un premier contributeur.
60
Direction de recherche
First, locate the route definition for exportAllNotes, likely in a file like server/routes/notes.js or a similar controller. Change the HTTP method from GET to POST. Then find any associated tests to update accordingly. Finally, check the frontend code for any calls to this endpoint and ensure they use POST. The issue is from 2021 and has no recent activity, so review the codebase to ensure the change is still applicable and no other dependencies have been introduced.