[C3] downloads.rs body().unwrap() on attacker-controlled Content-Disposition filename -> unauthenticated panic/DoS #12
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: Critical
Component(s): server
Affected file(s):
server/src/api/downloads.rsProblem:
Response::builder()...body().unwrap()runs on an attacker-controlledContent-Dispositionfilename, allowing an unauthenticated panic and worker DoS.Recommended fix:
Use a real error path (no
unwrap), reject or RFC5987-encode the filename, and cap input length.Remediation phase: P0
From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C3) and REMEDIATION-PLAN.md (P0).