fix: security vulnerability in attachment downloads#154
Conversation
|
@hmnd thanks! can you confirm this works with both images and attachments? forget if they are on the same endpoint or not. i also sometimes upload stuff to my own domains, wonder if i should support that at all... via flag or config perhaps. mostly thinking out loud here. i'll do a proper review at some point, likely next week. |
|
@schpet yes, works for both! Your note on other domains brings up a gap though... In this change, I've only hardened against including credentials in non-Linear domain fetches, but it doesn't stop fetching image urls from non-Linear hosts. I figured that would likely be best for a separate PR once the UX is figured out. |
|
@hmnd thanks again! thinking about my comment about other domains: i think for non linear origins it's fine... i'm remembering now that the reason i download these from the linear urls as they require authentication so they weren't easily followed. so! i think we're all set, appreciate your help improving this. |
|
Ahh, that makes more sense! Thanks for the merge :) |
Currently, the CLI attempts to download any url that merely contains
uploads.linear.app, doing so with an authenticatedfetch(). This means a threat actor can add a url likehttps://myevilurl.com/uploads.linear.appsomewhere in the issue in order to steal a user's credentials.This PR explicitly checks the hostname of the url, and only passes the api token when downloading from uploads.linear.app, rather than both uploads.linear.app and public.linear.app.
I've also taken the liberty of centralizing all Linear url usage in a const.ts, rather than having them scattered around.