Impact
Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban.
Workarounds
- Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
- Encoding input with
encodeURIComponent before providing it to the library.
References
8bf8ee8
Impact
Input to functions such as
Client.rest.channels.removeBanis not url-encoded, resulting in specially crafted input such as../../../channels/{id}being normalized into the url/api/v10/channels/{id}, and deleting a channel rather than removing a ban.Workarounds
encodeURIComponentbefore providing it to the library.References
8bf8ee8