The EmbeddedChatApi class builds request URLs by directly inserting the output of JSON.stringify() into query parameters without URL encoding. This happens in the getMessages and getOlderMessages methods.
If the query or field object contains special URL characters such as &, =, or #, those characters are interpreted by the server as URL delimiters, not as part of the value. This allows extra query parameters to be injected into the request.
As a result, the API is vulnerable to HTTP Parameter Pollution, which can lead to incorrect request handling and potential security issues.
Affected Code
File: packages/api/src/EmbeddedChatApi.ts
Current Implementation
const query = options?.query
? `&query=${JSON.stringify(options.query)}`
: "";
Steps to Reproduce
- Initialize
EmbeddedChatApi.
- Call
getMessages with a malicious query object:
api.getMessages(false, {
query: { attack: "test&roomId=GENERAL" }
});
- Inspect the network request.
Observed URL
.../messages?roomId=RID&query={"attack":"test&roomId=GENERAL"}
Result
The server interprets roomId=GENERAL as a separate query parameter, because the & inside the JSON string was not URL-encoded.
The
EmbeddedChatApiclass builds request URLs by directly inserting the output ofJSON.stringify()into query parameters without URL encoding. This happens in thegetMessagesandgetOlderMessagesmethods.If the
queryorfieldobject contains special URL characters such as&,=, or#, those characters are interpreted by the server as URL delimiters, not as part of the value. This allows extra query parameters to be injected into the request.As a result, the API is vulnerable to HTTP Parameter Pollution, which can lead to incorrect request handling and potential security issues.
Affected Code
File:
packages/api/src/EmbeddedChatApi.tsCurrent Implementation
Steps to Reproduce
EmbeddedChatApi.getMessageswith a malicious query object:Observed URL
Result
The server interprets
roomId=GENERALas a separate query parameter, because the&inside the JSON string was not URL-encoded.