Closed linsyking closed 8 months ago
Tracking issue for:
@zzjc1234 Could you help look into these security issues? Thanks.
I have checked and tested on these four interfaces. I believe these are all false positive. Three of them are protected by check_file(), which cannot be bypassed, and the other one cannot be bypassed as well due to seemingly automatic file name check of fastapi. It seems that if a path is included in a file name passed in in a request, fastapi will automatically return 404
I have checked and tested on these four interfaces. I believe these are all false positive. Three of them are protected by check_file(), which cannot be bypassed, and the other one cannot be bypassed as well due to seemingly automatic file name check of fastapi. It seems that if a path is included in a file name passed in in a request, fastapi will automatically return 404
Those checks are for a very old version of code so dont care. :) Closing.
I have checked and tested on these four interfaces. I believe these are all false positive. Three of them are protected by check_file(), which cannot be bypassed, and the other one cannot be bypassed as well due to seemingly automatic file name check of fastapi. It seems that if a path is included in a file name passed in in a request, fastapi will automatically return 404
Those checks are for a very old version of code so dont care. :) Closing.
I received these same warnings in my PR too, so I checked them anyway
I have checked and tested on these four interfaces. I believe these are all false positive. Three of them are protected by check_file(), which cannot be bypassed, and the other one cannot be bypassed as well due to seemingly automatic file name check of fastapi. It seems that if a path is included in a file name passed in in a request, fastapi will automatically return 404
Those checks are for a very old version of code so dont care. :) Closing.
I received these same warnings in my PR too, so I checked them anyway
never mind lol
Currently we don't have any authentication for backend and frontend, it should have one in the future.