Security issue

[linsyking]

Currently we don't have any authentication for backend and frontend, it should have one in the future.

[linsyking]

Tracking issue for:

• [x] https://github.com/linsyking/CanvasHelper2/security/code-scanning/1
• [x] https://github.com/linsyking/CanvasHelper2/security/code-scanning/2
• [x] https://github.com/linsyking/CanvasHelper2/security/code-scanning/3
• [x] https://github.com/linsyking/CanvasHelper2/security/code-scanning/4

[linsyking]

@zzjc1234 Could you help look into these security issues? Thanks.

[PACHAKUTlQ]

I have checked and tested on these four interfaces. I believe these are all false positive. Three of them are protected by check_file(), which cannot be bypassed, and the other one cannot be bypassed as well due to seemingly automatic file name check of fastapi. It seems that if a path is included in a file name passed in in a request, fastapi will automatically return 404

[linsyking]

I have checked and tested on these four interfaces. I believe these are all false positive. Three of them are protected by check_file(), which cannot be bypassed, and the other one cannot be bypassed as well due to seemingly automatic file name check of fastapi. It seems that if a path is included in a file name passed in in a request, fastapi will automatically return 404

Those checks are for a very old version of code so dont care. :) Closing.

[PACHAKUTlQ]

I have checked and tested on these four interfaces. I believe these are all false positive. Three of them are protected by check_file(), which cannot be bypassed, and the other one cannot be bypassed as well due to seemingly automatic file name check of fastapi. It seems that if a path is included in a file name passed in in a request, fastapi will automatically return 404

Those checks are for a very old version of code so dont care. :) Closing.

I received these same warnings in my PR too, so I checked them anyway

[linsyking]

I have checked and tested on these four interfaces. I believe these are all false positive. Three of them are protected by check_file(), which cannot be bypassed, and the other one cannot be bypassed as well due to seemingly automatic file name check of fastapi. It seems that if a path is included in a file name passed in in a request, fastapi will automatically return 404

Those checks are for a very old version of code so dont care. :) Closing.

I received these same warnings in my PR too, so I checked them anyway

never mind lol