Open const-cloudinary opened 1 month ago
neelshah2409
commented
1 month ago Hi @const-cloudinary In cloudinary.go, the URLForUpload function has a potential security issue. It directly uses the user-provided public_id without any sanitization. This could lead to security vulnerabilities like SSRF or XSS attacks. It is recommended to sanitize or validate the public_id before using it.
Should I work on it ?
const-cloudinary
commented
1 month ago Hello @neelshah2409 , thank you for your participation!
Can you please provide an example?
This is a backend SDK, it doesn't run in the browser, the public ids that are specified are passed through some backend code that can validate it, use WAF or any other security layer to mitigate such attacks.
RS-labhub
commented
1 month ago Are you guys going to open any issues or we have to find them?
const-cloudinary
commented
1 month ago @RS-labhub , if you find anything, feel free to open a GitHub Issue and then work on it.
Hacktoberfest is here! And we’re excited to invite you to explore and contribute to our Cloudinary SDKs on GitHub!
Whether you’re a seasoned contributor or new to Open Source, this is a great opportunity to get involved, suggest improvements, and help shape our SDKs.
:hammer_and_wrench: Here’s what we’re looking for:
Meaningful contributions will be eligible for exclusive Cloudinary swag, learn more about the requirements on our blog post
Let’s build something amazing together! :tada: