Skip to content

[Security Audit] Missing Authentication, Path Traversal, CSRF and Dependency Vulnerabilities #214

Open
Open
[Security Audit] Missing Authentication, Path Traversal, CSRF and Dependency Vulnerabilities#214
@nekobaimeow

Description

@nekobaimeow
nekobaimeow
opened on May 31, 2026

Summary

While reviewing the social-auto-upload codebase, I identified several security issues in the legacy web backend (sau_backend.py) and the dependency chain. These range from missing authentication (Critical) to dependency vulnerabilities with known CVEs.

⚠️ Disclaimer: These issues primarily affect the legacy Flask+Vue web panel, which the README notes is not the current mainline. However, the project's documentation and API_DOCUMENTATION.md still reference it as a supported deployment path, and the vulnerable code ships in the repository — unaware users who deploy it are exposed.

🔴 Critical: Complete Lack of Authentication on Web Backend

File: sau_backend.py
Impact: Full account takeover, cookie theft, unauthorized video publishing

Description:

The frontend sends Authorization: Bearer <token> headers (see sau_frontend/src/utils/request.js:13-19), but sau_backend.py performs zero authentication checks:

  • No before_request hook for token validation
  • No session/JWT middleware
  • No user identity or role checks

Combined with CORS(app) (line 17-20) that opens cross-origin access, anyone who can reach port 5409 can:

Endpoint What they can do
GET /getAccounts Enumerate all accounts
GET /downloadCookie/<name> Download any account's cookie JSON
POST /uploadCookie Replace any account's cookie
GET /deleteAccount/<name> Delete accounts
POST /postVideo Publish videos to connected platforms

Proof of Concept:

# No auth header needed — direct access
curl http://TARGET:5409/getAccounts
curl http://TARGET:5409/downloadCookie/douyin_creator
curl -X POST http://TARGET:5409/postVideo \
  -H 'Content-Type: application/json' \
  -d '{"type":3, "title":"pwned", "fileList":["..."], "accountList":["..."], "tags":[]}'

Fix Recommendation:

  • Add middleware (e.g., Flask before_request) to validate Authorization: Bearer <token> on all /get*, /post*, /delete*, /upload*, /download* routes
  • Replace blanket CORS(app) with targeted origins
  • Consider removing the legacy web backend entirely from the main branch if it's not maintained

🟠 High: Destructive Operations Use GET Requests

Files: sau_backend.py:255-315, sau_backend.py:317-374

Description:

/deleteFile and /deleteAccount are registered as GET routes:

@app.route('/deleteFile', methods=['GET'])    # line 255
@app.route('/deleteAccount', methods=['GET'])  # line 317

Using GET for state-changing operations makes them vulnerable to:

  • CSRF: <img src="http://localhost:5409/deleteAccount/creator"> on any page deletes the account
  • Accidental triggers: browser prefetch, link crawlers, browser history

Fix: Change to methods=['POST'] or methods=['DELETE'], and require a CSRF token or Content-Type: application/json check.

🟠 High: Inconsistent Path Traversal Protection

Files: sau_backend.py:72-88 vs sau_backend.py:648-653

Description:

Two file-serving endpoints handle path safety differently:

/getFile (weak — string-based):

# line 78
if '..' in filename or filename.startswith('/'):
    return jsonify({'error': 'Invalid filename'}), 400

This naive check can be bypassed (e.g., encoded variants, symlink tricks, Windows ..\).

/downloadCookie (strong — resolve-based):

# line 648-653
safe_path = base_path / account_path
safe_path = safe_path.resolve()
if not safe_path.is_relative_to(base_path.resolve()):
    return jsonify({'error': 'Invalid account path'}), 400

Fix: Apply the resolve() + is_relative_to() pattern to /getFile as well. Also validate against Windows separators if cross-platform support is desired.

🟡 Medium: Dependency Vulnerabilities (Mainline)

File: pyproject.toml -> uv.lock

Package Version CVE Impact Fix
requests 2.32.3 CVE-2024-47081 .netrc credential leak via malicious redirect >=2.32.4
urllib3 2.6.3 CVE-2026-44431 Sensitive headers forwarded on cross-origin redirect >=2.7.0
idna 3.11 CVE-2026-45409 DoS via crafted idna.encode() input >=3.15

Fix: Bump minimum versions in pyproject.toml and re-lock.

📝 The historical requirements.txt (UTF-16 LE encoded, not main install path) has 50 vulnerabilities across 15 packages. If it's kept for reference, add a prominent warning.

🟡 Medium: Excessive Data Exposure in /getAccounts

File: sau_backend.py:193-214

Description:

accounts = cursor.execute("SELECT * FROM user_info").fetchall()

Returns the entire user_info table with no field filtering. The frontend's Account Management page has a "Download Cookie" button per account (line 672-686 of AccountManagement.vue), meaning the full account list effectively exposes all stored credentials.

Fix: Return only non-sensitive fields (id, name, platform) unless explicitly requesting details with auth.

🔵 Low: SSE /login Endpoint Has No Identity Validation

File: sau_backend.py:377-400

Description:

active_queues[request.args.get('id')] = queue

Uses a user-supplied id parameter directly as a dictionary key with no validation. An attacker can inject arbitrary keys, potentially causing collisions or resource exhaustion.

Fix: Validate the id parameter against known accounts, add rate limiting, and set a TTL on queue entries.

Environment

  • Commit: Latest main (as of 2026-05-31)
  • Python: 3.10–3.12
  • Audit tools: pip-audit, npm audit, manual code review

I'm happy to submit a PR for any of these — just let me know which ones you'd like fixed first. The authentication issue (#1) is the most urgent.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions