Skip to content

security: user-controlled URL params injected directly into Redux store via JSON.parse #2319

Description

@AshayK003

Problem

ReactiveBase.js parses URL search parameters directly with JSON.parse and injects the result into the Redux store as initial selectedValues:

Array.from(params.keys()).forEach((key) => {
    try {
        const parsedParams = JSON.parse(params.get(key));
        selectedValues[key] = { value: parsedParams.value || parsedParams, ... };
    } catch (e) { /* silent failure */ }
});

A crafted URL can inject arbitrary object structures into the store, potentially triggering unexpected behavior in downstream components that consume selectedValues.

Location

packages/web/src/components/basic/ReactiveBase.js, lines 140-162

Suggested Fix

Validate the shape of parsed values before injection. Expected shapes are string primitives or { value, category } objects. Reject anything that doesn't match.

Severity

High — URL injection into application state

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions