You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When user runs xrefcheck, he does not think much about which links will fall under verification.
It may happen that the user forgot to exclude node_modules, and as result we went scanning half of the npm's world packages. Some of them may contain links referring to bad or even malicious sites, some may contain megabyte .md files. We should be ready to this and not cause any harm to the user's machine or CI.
So let's go thoroughly over the code and think about potential attack vectors; probably gather them in some document (and expect it to be really large. We already took care about some potential problems like redirect loops and links referring outside of the repository, but we should think more.
Acceptance criteria
At least 3 developers + 1 expert participate in discussions / code audit, and prepare a document describing potential issues.
For each issue in this document, it is either addressed or a follow-up ticket is created.
The text was updated successfully, but these errors were encountered:
Clarification and motivation
When user runs xrefcheck, he does not think much about which links will fall under verification.
It may happen that the user forgot to exclude
node_modules
, and as result we went scanning half of the npm's world packages. Some of them may contain links referring to bad or even malicious sites, some may contain megabyte.md
files. We should be ready to this and not cause any harm to the user's machine or CI.So let's go thoroughly over the code and think about potential attack vectors; probably gather them in some document (and expect it to be really large. We already took care about some potential problems like redirect loops and links referring outside of the repository, but we should think more.
Acceptance criteria
The text was updated successfully, but these errors were encountered: