Sonar ResearchDec 3, 2022

Can you spot the vulnerability? #codeadvent2022 #csharp #appsec

Something was forgotten in this API handler, but what?

https://www.sonarsource.com/knowledge/code-challenges/advent-calendar-2022/?day=3

the home of clean code

Sonar’s industry leading solution enables developers and development teams to write clean code and remediate existing code organically.

Nikos AlexiouDec 4, 2022
Show threadbecojo

@SonarResearch The hostname part of the URL does not end with a slash. The appended user input from the `path` parameter can change the domain of the API request which could leak the Authorization environment variable.

The domain github.computer is available and could be reached by the API handler if the `path` parameter is set to "puter".

Dec 3, 2022 at 4:18pmWeb
Show threadLouis Dion-MarcilDec 3, 2022
@becojo your brain is too powerful for us mere mortals. great solution!