Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Think over potential attack vectors #256

Open
Martoon-00 opened this issue Dec 21, 2022 · 0 comments
Open

Think over potential attack vectors #256

Martoon-00 opened this issue Dec 21, 2022 · 0 comments

Comments

@Martoon-00
Copy link
Member

Clarification and motivation

When user runs xrefcheck, he does not think much about which links will fall under verification.

It may happen that the user forgot to exclude node_modules, and as result we went scanning half of the npm's world packages. Some of them may contain links referring to bad or even malicious sites, some may contain megabyte .md files. We should be ready to this and not cause any harm to the user's machine or CI.

So let's go thoroughly over the code and think about potential attack vectors; probably gather them in some document (and expect it to be really large. We already took care about some potential problems like redirect loops and links referring outside of the repository, but we should think more.

Acceptance criteria

  • At least 3 developers + 1 expert participate in discussions / code audit, and prepare a document describing potential issues.
  • For each issue in this document, it is either addressed or a follow-up ticket is created.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant