Summary
The api_base() builder method accepts any string with no HTTPS enforcement. Combined with tokens in query strings, a non-HTTPS base URL transmits API secrets in plaintext.
Location
- File:
src/lib.rs
- Line(s): 157–159
Severity
Medium
Details
pub fn api_base(mut self, base: impl Into<String>) -> Self {
self.api_base = base.into(); // no scheme validation
self
}If a caller passes an http:// URL (misconfiguration or local testing), the API token is transmitted in plaintext in the query string.
Suggested Fix
Validate the scheme at construction time:
pub fn api_base(mut self, base: impl Into<String>) -> Result<Self> {
let base = base.into();
if !base.starts_with("https://") {
return Err(Error::InsecureBaseUrl(base));
}
self.api_base = base;
Ok(self)
}
Automated finding by repo-monitor
Summary
The
api_base()builder method accepts any string with no HTTPS enforcement. Combined with tokens in query strings, a non-HTTPS base URL transmits API secrets in plaintext.Location
src/lib.rsSeverity
Medium
Details
If a caller passes an
http://URL (misconfiguration or local testing), the API token is transmitted in plaintext in the query string.Suggested Fix
Validate the scheme at construction time:
Automated finding by repo-monitor