hassanselim0
commented
4 years ago I looked at the codebase for the web service (first time for me to read Elixr code BTW, looks very interesting and clean).
The problem is in the /badge/:name route here. The easy fix would be to make some sort of lookup on SpaceStorage (maybe call its space function) and make sure isPrivate is false. An even better solution would be to read a key query param and validate it similar to what happens in the /v0/join route (link).
If you have a dev docker file, maybe I can try to contribute that fix.
I wouldn't consider this major, but as I was looking at the github badge that deeplinks to the VS Code Space, I found that the image of the badge has this url format:
https://vslscommunitieswebapp.azurewebsites.net/badge/{space}It seems to fetch the number of users inside the provided space name then redirect to the appropriate shields.io url. The problem is that it does this for private spaces too, so this can reveal that a private space exists and show how big it is.
For me this isn't an issue (I don't need that level of secrecy 😅), but I think for other people this can be an issue. An easy fix would be to return a 403 response on that url if a private space is passed.