π Description
// β PROBLEMATIC CODE
let q = author:${username} is:${type};
if (filters.search) {
q += ${filters.search} in:title; // Direct string concatenation
}
if (filters.repo) {
q += repo:${filters.repo}; // No escaping
}
Issue: User input is directly concatenated into GitHub search queries without escaping. Malicious input could break the query structure or inject unintended search parameters.
Impact: Search query injection attacks, unpredictable search results, potential security bypass.
Recommended Fix: Implement proper query parameter escaping/encoding.
What browsers are you seeing the problem on?
No response
π Relevant Screenshots (Links)
No response
π Description
// β PROBLEMATIC CODE
let q =
author:${username} is:${type};if (filters.search) {
q +=
${filters.search} in:title; // Direct string concatenation}
if (filters.repo) {
q +=
repo:${filters.repo}; // No escaping}
Issue: User input is directly concatenated into GitHub search queries without escaping. Malicious input could break the query structure or inject unintended search parameters.
Impact: Search query injection attacks, unpredictable search results, potential security bypass.
Recommended Fix: Implement proper query parameter escaping/encoding.
What browsers are you seeing the problem on?
No response
π Relevant Screenshots (Links)
No response