hackmdio/codimd

exportAllNotes should use POST method for security

Open

#1,687 创建于 2021年5月23日

在 GitHub 查看
 (14 评论) (0 反应) (0 负责人)JavaScript (8,949 star) (1,038 fork)batch import
good first issuesecurity

描述

👋 Hello, we've received a report for a potential high severity security issue in your repository.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-hackmdio/codimd for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community.

Confused or need more help?

  • Join us on our Discord and a member of our team will be happy to help! 🤗

  • Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

贡献者指南

技术栈
javascriptnodejsexpress
领域
backendsecurity
议题类型
security
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
2
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
1-3 hours
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
stale
清晰度议题是否清楚说明期望改动、验收标准和下一步。
mostly clear
前置要求
familiarity with Express routesunderstanding of HTTP methodsbasic JavaScript
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
60
研究方向
First, locate the route definition for exportAllNotes, likely in a file like server/routes/notes.js or a similar controller. Change the HTTP method from GET to POST. Then find any associated tests to update accordingly. Finally, check the frontend code for any calls to this endpoint and ensure they use POST. The issue is from 2021 and has no recent activity, so review the codebase to ensure the change is still applicable and no other dependencies have been introduced.