Challenges
Last updated
Last updated
REST API exposes an endpoint, which allows the user to upload arbitrary profile picture. Because the URL that user provides is not checked, they may send any GET request on behalf of the server. This may have unintended consequences, such as accessing assets inside VPN network, or content protected from the outside requests by firewalls.