GHSA-rgj7-vg8v-j4wr MEDIUM go/github.com/lin-snow/ech0

CVE:

Summary

No authentication is required to invoke PUT /api/echo/like/:id. The handler is registered on the public router group. The service increments fav_count for the given echo without checking identity, without a per-user limit, and without CSRF tokens. A remote client can arbitrarily inflate like metrics with repeated requests.

Description

Root cause: The like endpoint is explicitly public (PublicRouterGroup). LikeEcho in the service layer only runs a repository increment inside a transaction—no viewer/user binding.

Security boundary that fails: Integrity of engagement metrics (likes) and any trust that “likes” represent distinct or authenticated users.

Exploitation: Discover or guess a public echo UUID (timeline, API, share link) → send unauthenticated PUT repeatedly → fav_count increases linearly.

Affected files

Public route registration`internal/router/echo.go` Like mutation (no auth check)`internal/service/echo/echo.go` Handler`internal/handler/echo/echo.go`

Vulnerable / relevant code

Public PUT route:

// Public
	appRouterGroup.PublicRouterGroup.PUT("/echo/like/:id", h.EchoHandler.LikeEcho())
	appRouterGroup.PublicRouterGroup.GET("/tags", h.EchoHandler.GetAllTags())

Service does not use viewer / rate limit:

func (echoService *EchoService) LikeEcho(ctx context.Context, id string) error {
	return echoService.transactor.Run(ctx, func(txCtx context.Context) error {
		return echoService.echoRepository.LikeEcho(txCtx, id)
	})
}

Execution flow

1. Client resolves ECHO_ID (e.g. GET /api/echo/page with any valid token, or from UI).

2. Client sends PUT /api/echo/like/{ECHO_ID} with no Authorization header.

3. Gin matches public route → handler → EchoService.LikeEcho → DB increments fav_count.

4. Repeat N times → count incr

📌 来源: GitHub-Advisory | 📅 2026-05-07