Closed code423n4 closed 2 years ago
see comment on #65
This is an issue on the FE implementation side, not in the contracts. Contracts function as designed "." and ".." are both valid it is up to governance to not add contracts to the allowlist that will let these profiles be minted.
I agree, this should be handled by the front-end and not on a smart contract level. It isn't ideal to handle input sanitisation on a smart contract level where computation is expensive.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/PublishingLogic.sol#L398-L410
Vulnerability details
As we can see in _validateHandle, . is acceptable character. So .. is accepted and _validateHandle returns success
A new profile for User A gets created with handle ..
Problem occurs in "UI/any app ui using aave lens" since .. is used for parent directory.
So basically when user will try accessing his profile .. by ui then it would be like "https://www.something.com/profile/..".
This url will simply redirect to https://www.something.com/ and this user will never be able to access his profile on UI
Remediation: Enforce _validateHandle to see that handle contains atleast one letter or number