ShinySaana
commented
3 years ago You can run the code by enabling and manually running the "workflow" github action on your fork !
Closed gretchenfrage closed 3 years ago
ShinySaana
commented
3 years ago You can run the code by enabling and manually running the "workflow" github action on your fork !
gretchenfrage
commented
3 years ago Thanks! I am attempting to test now.
Bale001
commented
3 years ago Was the issue not fully fixed by #45?
gretchenfrage
commented
3 years ago Was the issue not fully fixed by #45?
Yes, it looks like it was. I realized that in testing just as you responded.
Closing since the bug is already fixed.
gretchenfrage
commented
3 years ago Actually, on second thought, I'm not sure if the vulnerability still exists.
augustozanellato
commented
3 years ago Actually, on second thought, I'm not sure if the vulnerability still exists.
No, it doesn't, calling encodeURI is redundant because url.parse already url encodes stuff
ShinySaana
commented
3 years ago Aren't you the dude who started this in the first place? lmao
gretchenfrage
commented
3 years ago Yeah I wanted to double check some things to be sure but it looks like this is patched.
This script appears to be vulnerable to people injecting malicious code into their personal links. I believe that this code change, which passes the github username through
encodeURIComponentencodeURI(changed following an upstream change), should fix it. However, I am not sure how to run the code in this repo, so I have not tested this change.