Skip to content

Security: Missing Input Validation in Dropbox Serializer credentials_are_valid#11791

Open
tomaioo wants to merge 1 commit into
CenterForOpenScience:developfrom
tomaioo:fix/security/missing-input-validation-in-dropbox-seri
Open

Security: Missing Input Validation in Dropbox Serializer credentials_are_valid#11791
tomaioo wants to merge 1 commit into
CenterForOpenScience:developfrom
tomaioo:fix/security/missing-input-validation-in-dropbox-seri

Conversation

@tomaioo

@tomaioo tomaioo commented Jul 1, 2026

Copy link
Copy Markdown

Summary

Security: Missing Input Validation in Dropbox Serializer credentials_are_valid

Problem

Severity: Medium | File: addons/dropbox/serializer.py:L14

The DropboxSerializer.credentials_are_valid method accesses user_settings.external_accounts[0] without checking if the list is empty. This could cause an IndexError exception. Additionally, the method creates a Dropbox client with an OAuth key without proper validation of the key format or source.

Solution

Add explicit bounds checking before accessing external_accounts[0]. Validate the OAuth key format before creating the Dropbox client. Consider using a try-except block specifically for IndexError.

Changes

  • addons/dropbox/serializer.py (modified)

The DropboxSerializer.credentials_are_valid method accesses user_settings.external_accounts[0] without checking if the list is empty. This could cause an IndexError exception. Additionally, the method creates a Dropbox client with an OAuth key without proper validation of the key format or source.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant