Location: src/Freedomtool.ts:243
const ipfsResponse = await transport(
this.config.api.ipfsUrl + `/ipfs/` + ipfsCid,
// ...
);
ipfsCid comes from the smart contract (contractData[2][4]). A malicious or misconfigured proposal contract could set an unexpected value — e.g., ../../etc or a full URL that breaks the concatenation.
Impact: Low in practice (the contract is the trust boundary), but the IPFS gateway could be redirected or an unexpected path could be fetched. Worth a one-liner fix.
Fix: Validate ipfsCid matches a CIDv1/CIDv0 pattern before use:
if (!/^[A-Za-z2-7]{46}$|^bafy[A-Za-z2-7]{55}$/.test(ipfsCid)) {
throw new Error(`Invalid IPFS CID: ${ipfsCid}`);
}
Location:
src/Freedomtool.ts:243ipfsCid comes from the smart contract (contractData[2][4]). A malicious or misconfigured proposal contract could set an unexpected value — e.g., ../../etc or a full URL that breaks the concatenation.
Impact: Low in practice (the contract is the trust boundary), but the IPFS gateway could be redirected or an unexpected path could be fetched. Worth a one-liner fix.
Fix: Validate ipfsCid matches a CIDv1/CIDv0 pattern before use: