From 8267012091ffe5100890cf39334ef21fb6e496e1 Mon Sep 17 00:00:00 2001 From: Bell Isabell Date: Tue, 3 Mar 2026 18:49:42 -0800 Subject: [PATCH] Fix JSON injection vulnerability in domain registration Use proper JSON serialization instead of string interpolation when building the request body for domain registration. String interpolation into JSON is dangerous because special characters in the domain name could break out of the JSON structure and inject arbitrary content. Closes #22 --- app/models/domain.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/domain.rb b/app/models/domain.rb index ced00a9..02aa28a 100644 --- a/app/models/domain.rb +++ b/app/models/domain.rb @@ -22,7 +22,7 @@ def self.register(account, host) # rubocop:disable Metrics/AbcSize, Metrics/Meth return Domain.register_development_domains(account, host) end - response = Domain.render_service_request('', Net::HTTP::Post, "{\"name\":\"#{host}\"}") + response = Domain.render_service_request('', Net::HTTP::Post, { name: host }.to_json) unless response.code == '201' raise "Error creating domain #{host} in Render - code #{response.code} \"#{response.body}\""