🚀 Join Cloudinary's Hacktoberfest!

[const-cloudinary]

Hacktoberfest is here! And we’re excited to invite you to explore and contribute to our Cloudinary SDKs on GitHub!

Whether you’re a seasoned contributor or new to Open Source, this is a great opportunity to get involved, suggest improvements, and help shape our SDKs.

🛠️ Here’s what we’re looking for:

• Explore our SDKs and suggest enhancements.
• Report bugs, improve documentation, or offer new ideas.
• Help us make the developer experience even better!

Meaningful contributions will be eligible for exclusive Cloudinary swag, learn more about the requirements on our blog post

Let’s build something amazing together! 🎉

[neelshah2409]

Hi @const-cloudinary
In cloudinary.go, the URLForUpload function has a potential security issue. It directly uses the user-provided public_id without any sanitization. This could lead to security vulnerabilities like SSRF or XSS attacks. It is recommended to sanitize or validate the public_id before using it.

Should I work on it ?

[const-cloudinary]

Hello @neelshah2409 , thank you for your participation!

Can you please provide an example?

This is a backend SDK, it doesn't run in the browser, the public ids that are specified are passed through some backend code that can validate it, use WAF or any other security layer to mitigate such attacks.

[RS-labhub]

Are you guys going to open any issues or we have to find them?

[const-cloudinary]

@RS-labhub , if you find anything, feel free to open a GitHub Issue and then work on it.