From 8ad0e5e71d37e08a6849ce56c10feee89bbf94cb Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sun, 12 Apr 2026 19:22:50 +0700 Subject: [PATCH 1/2] fix(security): unencoded username in api route construction The username is inserted directly into `/api/gravatar/${props.username}`. A crafted username containing path separators or reserved URL characters can change the effective request path and potentially hit unintended endpoints. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- app/components/User/Avatar.vue | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/components/User/Avatar.vue b/app/components/User/Avatar.vue index e78d320541..4b1dc8ce26 100644 --- a/app/components/User/Avatar.vue +++ b/app/components/User/Avatar.vue @@ -31,7 +31,7 @@ const textClass = computed(() => { } }) -const { data: gravatarUrl } = useLazyFetch(() => `/api/gravatar/${props.username}`, { +const { data: gravatarUrl } = useLazyFetch(() => `/api/gravatar/${encodeURIComponent(props.username)}`, { transform: res => (res.hash ? `/_avatar/${res.hash}?s=128&d=404` : null), getCachedData(key, nuxtApp) { return nuxtApp.static.data[key] ?? nuxtApp.payload.data[key] From 7870b18e15f51d5bf13d03f62bd258cb511e9ec2 Mon Sep 17 00:00:00 2001 From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com> Date: Sun, 12 Apr 2026 12:24:08 +0000 Subject: [PATCH 2/2] [autofix.ci] apply automated fixes --- app/components/User/Avatar.vue | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/app/components/User/Avatar.vue b/app/components/User/Avatar.vue index 4b1dc8ce26..36916e28d1 100644 --- a/app/components/User/Avatar.vue +++ b/app/components/User/Avatar.vue @@ -31,12 +31,15 @@ const textClass = computed(() => { } }) -const { data: gravatarUrl } = useLazyFetch(() => `/api/gravatar/${encodeURIComponent(props.username)}`, { - transform: res => (res.hash ? `/_avatar/${res.hash}?s=128&d=404` : null), - getCachedData(key, nuxtApp) { - return nuxtApp.static.data[key] ?? nuxtApp.payload.data[key] +const { data: gravatarUrl } = useLazyFetch( + () => `/api/gravatar/${encodeURIComponent(props.username)}`, + { + transform: res => (res.hash ? `/_avatar/${res.hash}?s=128&d=404` : null), + getCachedData(key, nuxtApp) { + return nuxtApp.static.data[key] ?? nuxtApp.payload.data[key] + }, }, -}) +)