search

sherlock-audit / 2024-06-allora-judging

0 stars 0 forks source link

0xsi - Potential Arbitrary Code Execution in `api.go` #5

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

0xsi

High

Potential Arbitrary Code Execution in api.go

Summary

The makeApiCall function constructs an HTTP POST request using unsanitized user-provided data.

Vulnerability Detail

There is no validation of the payload before it is sent to the external API. This opens up the potential for arbitrary code execution if a malicious payload is passed into the function.

Impact

An attacker could exploit this vulnerability by injecting malicious code into the payload parameter, leading to arbitrary code execution on the server that processes the API requests.

Code Snippet

https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/app/api.go#L166-L185

Tool used

Manual Review

Recommendation

Validate and sanitize the payload before using it in the HTTP request. Ensure that the payload data adheres to the expected format and does not contain any malicious content.

sherlock-admin4 commented 4 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

Report lacks detail

sherlock-admin2 commented 4 months ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/allora-network/allora-chain/pull/458