Skip to content

security: percent-encode API query parameters to prevent injection#2313

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-990d
Draft

security: percent-encode API query parameters to prevent injection#2313
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-990d

Conversation

@cursor

@cursor cursor Bot commented Jun 29, 2026

Copy link
Copy Markdown

Description

Fixes a medium-severity HTTP parameter pollution vulnerability in the HTTP and SSE API providers.

Related Issue

Scheduled application security review (2026-06-29)

Type of Change

  • Bug fix (non-breaking change that fixes an issue)

What Has Changed

  • Added appendEncodedQueryParameters() in api_url_utils.dart to percent-encode query parameter keys and values
  • Updated http_api_provider.dart and sse_api_provider.dart to use safe URL construction instead of raw string concatenation
  • Added api_query_param_security_test.dart regression tests

Security Impact

Attacker: External user supplying input bound to API parameters via YAML ${expression}.

Attack path: User-controlled value containing & or = (e.g. foo&admin=true) is concatenated into the request URL without encoding, injecting extra query parameters against the backend.

Severity: Medium — HTTP parameter pollution; impact depends on backend parameter handling.

How to Test

  1. Run flutter test test/api_query_param_security_test.dart in modules/ensemble
  2. Verify API calls with special characters in parameter values encode correctly

Checklist

  • I have added regression tests
Open in Web View Automation 

@cursor cursor Bot force-pushed the cursor/application-security-review-990d branch from e2bd772 to ae40d6e Compare June 29, 2026 09:06
ChartJs interpolated string config directly into browser eval() on web
and into inline HTML/JS on native. Attacker-controlled config from API
responses or user input could break out of the Chart constructor call
and execute arbitrary JavaScript.

Validate string configs as JSON and emit via jsonEncode. Preserve trusted
Map-based configs that may include author-defined JS callbacks. Reject
unsafe chart ids embedded in HTML/JS contexts. Adds regression tests.

Co-authored-by: Sharjeel Yunus <sharjeelyunus@users.noreply.github.com>
@cursor cursor Bot force-pushed the cursor/application-security-review-990d branch from ae40d6e to 8406152 Compare June 29, 2026 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant