GHSA-pj6q-4vq4-r8cg MEDIUM go/github.com/lin-snow/Ech0

CVE:

Summary

PUT /api/echo/like/:id at internal/router/echo.go:12 is registered on PublicRouterGroup with no authentication and no rate limit. Anonymous callers increment the fav_count counter on any echo (including private echoes) by UUID, repeat the request without deduplication, and trigger a database write plus a four-key cache invalidation on every call. Alice harvests echo UUIDs from the public GET /api/echo/page response, inflates fav counts at will, and spams writes to amplify load on the DB and cache layers.

Details

Route registration at internal/router/echo.go:12:

appRouterGroup.PublicRouterGroup.PUT("/echo/like/:id", h.EchoHandler.LikeEcho())

PublicRouterGroup is r.Group("/api") without the JWT middleware that AuthRouterGroup applies. The handler passes through to EchoService.LikeEcho, which calls EchoRepository.LikeEcho at internal/repository/echo/echo.go:270:

func (echoRepository *EchoRepository) LikeEcho(ctx context.Context, id string) error {
    var exists bool
    if err := echoRepository.getDB(ctx).Model(&model.Echo{}).
        Select("count(*) > 0").Where("id = ?", id).Find(&exists).Error; err != nil {
        return err
    }
    if !exists {
        return errors.New(commonModel.ECHO_NOT_FOUND)
    }
    if err := echoRepository.getDB(ctx).Model(&model.Echo{}).
        Where("id = ?", id).
        UpdateColumn("fav_count", gorm.Expr("fav_count + ?", 1)).Error; err != nil {
        return err
    }
    return nil
}

No viewer check, no ownership check, no private-flag check. Compare the read path at EchoService.GetEchoById (internal/service/echo/echo.go:275-300) which rejects anonymous readers on private echoes; the like path skips that gate. InvalidateEchoCaches (internal/repository/echo/echo.go:51-58) clears the page cache, today cache, RSS cache, and per-echo cache on every like. Comment creation on the same router group runs behind checkRateLimit (`internal/service/comment/comment.g

📌 来源: GitHub-Advisory | 📅 2026-05-07