User input is not sanitize before making a request resulting to send all contents of db.json file.

[reny-pacheco]

Description

User input is not sanitize before making a request.
Adding ../db as form input results to send the whole content of db.json file.

I suggest to sanitize user input before sending a request.

Screenshots

Additional information

No response

[Njong392]

Yikes! This is a huge security issue. Do you want to be assigned to this @reny-pacheco ?

[reny-pacheco]

Yes, I like to work on this. Please assign to me.

[Njong392]

Sure thing. Assigned!

[reny-pacheco]

Hi @Njong392 , I already created a PR for this and its ready for review, Thanks. 😃

[reny-pacheco]

Hello @Njong392 , @mathiasayivor , in relation to this issue, I found out that special characters in abbreviation is encoded when creating its .json file. And requesting s/o doesn't return its abbreviation.

Example: s/o ➡️ s%2Fo.json

Question: Is it advisable to allow contributors to add special characters to abbreviation?

[mathiasayivor]

Hello @Njong392 , @mathiasayivor , in relation to this issue, I found out that special characters in abbreviation is encoded when creating its .json file. And requesting s/o doesn't return its abbreviation.

Example: s/o arrow_right s%2Fo.json

Question: Is it advisable to allow contributors to add special characters to abbreviation?

Yes, we definitely have to encode abbreviations with special characters, since those characters are not allowed as file names.

And yes, developers can encode abbreviations, but they must include mapping for the encoded version in the public/server/encodedAbbrMappings.json file.

Also, thanks for pointing this out, as I thought searching for encoded abbreviations was added after the last breaking change (#64) was merged
Why don't you include this fix in #129?

[reny-pacheco]

Also, thanks for pointing this out, as I thought searching for encoded abbreviations was added after the last breaking change (#64) was merged Why don't you include this fix in #129?

Based on my understanding, fetching of abbreviations goes directly to /db/<abbrev>.json which sometimes contain the encoded abbrev.
Where is encodedAbbrMapppings.json used for? since the requested abbrev comes from /db/<abbrev>.json?

Also thanks for responding to my questions. 😃

[mathiasayivor]

Also, thanks for pointing this out, as I thought searching for encoded abbreviations was added after the last breaking change (#64) was merged Why don't you include this fix in #129?

Based on my understanding, fetching of abbreviations goes directly to /db/<abbrev>.json which sometimes contain the encoded abbrev. Where is encodedAbbrMapppings.json used for? since the requested abbrev comes from /db/<abbrev>.json?

Also thanks for responding to my questions. smiley

The encodedAbbrMappings.json is to help us easily find the original version for encoded abbreviations.