TLS Verification Disabled By Default
ezzrips opened this issue · comments
TLS Verification is disabled by default in these lines:
line 29 of (https://github.com/breakdowns/slam-mirrorbot/tree/a746ad28ee33cf5f05d4af3e5c9d8e651a351071/bot/helper/ext_utils/shortenurl.py#L29)
line 15 of (https://github.com/breakdowns/slam-mirrorbot/tree/a746ad28ee33cf5f05d4af3e5c9d8e651a351071/bot/helper/ext_utils/shortenurl.py#L15)
these TLS Verification errors could potentially result in a man-in-the-middle attack!
and there's also a hard-coded "secret" in line 88 of
bot/init.py
These could all potentially create various security risks, please have a look when you have time!
Forgot one, there's also a path traversal in (https://github.com/breakdowns/slam-mirrorbot/tree/a746ad28ee33cf5f05d4af3e5c9d8e651a351071/gen_sa_accounts.py#L177) on line 177, where unsanitized input from a user flows into "open" where it is then used as a path, this could be used as a path traversal vulnerability by an attacker and allow them to read arbitrary files.
I think you have the wrong repo.