Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API path traversal throught custom tags #1409

Open
brainOut opened this issue May 29, 2019 · 3 comments
Open

API path traversal throught custom tags #1409

brainOut opened this issue May 29, 2019 · 3 comments
Labels
api bug

Comments

@brainOut
Copy link

Tag management allows to give a personalized name to a tag.
If I name the ../ tag, and modify it later, an error is thrown, indicating that the api/v2 path was not found ....
image

If I'm a little more vicious, I can, put known API endpoints
image

or even go up even higher
image

If the tag contains special characters such as "> or <", they are encoded and the tag is no longer found
image
@iamdey
Copy link
Member

iamdey commented May 29, 2019

lol n1

@gdchamal
Copy link
Member

We must restrict tag.name value to a given set of characters. [a-zA-Z0-9_ ]* ?

@brainOut
Copy link
Author

brainOut commented Jun 3, 2019

Maybe you could also include - in auth list and simplify regexp
[\w -]*

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@iamdey @gdchamal @brainOut