security: percent-encode API query parameters to prevent injection#2313
Draft
cursor[bot] wants to merge 1 commit into
Draft
security: percent-encode API query parameters to prevent injection#2313cursor[bot] wants to merge 1 commit into
cursor[bot] wants to merge 1 commit into
Conversation
e2bd772 to
ae40d6e
Compare
ChartJs interpolated string config directly into browser eval() on web and into inline HTML/JS on native. Attacker-controlled config from API responses or user input could break out of the Chart constructor call and execute arbitrary JavaScript. Validate string configs as JSON and emit via jsonEncode. Preserve trusted Map-based configs that may include author-defined JS callbacks. Reject unsafe chart ids embedded in HTML/JS contexts. Adds regression tests. Co-authored-by: Sharjeel Yunus <sharjeelyunus@users.noreply.github.com>
ae40d6e to
8406152
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes a medium-severity HTTP parameter pollution vulnerability in the HTTP and SSE API providers.
Related Issue
Scheduled application security review (2026-06-29)
Type of Change
What Has Changed
appendEncodedQueryParameters()inapi_url_utils.dartto percent-encode query parameter keys and valueshttp_api_provider.dartandsse_api_provider.dartto use safe URL construction instead of raw string concatenationapi_query_param_security_test.dartregression testsSecurity Impact
Attacker: External user supplying input bound to API
parametersvia YAML${expression}.Attack path: User-controlled value containing
&or=(e.g.foo&admin=true) is concatenated into the request URL without encoding, injecting extra query parameters against the backend.Severity: Medium — HTTP parameter pollution; impact depends on backend parameter handling.
How to Test
flutter test test/api_query_param_security_test.dartinmodules/ensembleChecklist