hackmdio/codimd

exportAllNotes should use POST method for security

Open

#1687 opened on May 23, 2021

View on GitHub
 (14 comments) (0 reactions) (0 assignees)JavaScript (8,949 stars) (1,038 forks)batch import
good first issuesecurity

Description

👋 Hello, we've received a report for a potential high severity security issue in your repository.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-hackmdio/codimd for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community.

Confused or need more help?

  • Join us on our Discord and a member of our team will be happy to help! 🤗

  • Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

Contributor guide

Tech stack
javascriptnodejsexpress
Domain
backendsecurity
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
familiarity with Express routesunderstanding of HTTP methodsbasic JavaScript
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
First, locate the route definition for exportAllNotes, likely in a file like server/routes/notes.js or a similar controller. Change the HTTP method from GET to POST. Then find any associated tests to update accordingly. Finally, check the frontend code for any calls to this endpoint and ensure they use POST. The issue is from 2021 and has no recent activity, so review the codebase to ensure the change is still applicable and no other dependencies have been introduced.