Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(security): add notion page uuid check to prevent SSRF and upgrade vulnerable packages #84

Merged
merged 3 commits into from
Apr 23, 2023

Conversation

dazedbear
Copy link
Owner

@dazedbear dazedbear commented Apr 23, 2023

Goal

Fix potential SSRF security issue found by failsafe redirection alert.

Screenshot 2023-04-23 at 8 19 00 PM

After checking, the abusive user could visit any public notion page using their title and uuid. (using weird Algolia crawler user agent) This may lead to SSRF issue.

Screenshot 2023-04-23 at 8 20 21 PM

Screenshot 2023-04-23 at 8 39 36 PM

Add article uuid check and logs for this.

Screenshot 2023-04-23 at 7 57 46 PM

upgrade vulnerable packages

@codesandbox
Copy link

codesandbox bot commented Apr 23, 2023

CodeSandbox logoCodeSandbox logo  Open in CodeSandbox Web Editor | VS Code | VS Code Insiders

@vercel
Copy link

vercel bot commented Apr 23, 2023

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
dazedbear-github-io ✅ Ready (Inspect) Visit Preview Apr 23, 2023 0:18am

@dazedbear dazedbear marked this pull request as ready for review April 23, 2023 12:29
@dazedbear dazedbear merged commit 87ee21a into main Apr 23, 2023
github-actions bot pushed a commit that referenced this pull request Apr 23, 2023
## [4.26.1](v4.26.0...v4.26.1) (2023-04-23)

### Bug Fixes

* **security:** add notion page uuid check to prevent SSRF and upgrade vulnerable packages ([#84](#84)) ([87ee21a](87ee21a))
@dazedbear dazedbear deleted the fix-sbug branch October 14, 2023 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant