fix: 3 security vulnerabilities — XSS in faucet & ledger, anti-Sybil bypass in airdrop#1830
Merged
Scottcjn merged 1 commit intoMar 25, 2026
Conversation
Bug 1 (High): faucet.py — DOM XSS via innerHTML injection The faucet response handler used innerHTML to render wallet addresses and error messages from the server. A malicious wallet address like '0x<img src=x onerror=alert(1)>' would execute arbitrary JavaScript. Fix: Replace innerHTML with textContent + createElement (safe DOM API). Bug 2 (Medium): payout_ledger.py — Stored XSS via unescaped Jinja2 variables Template rendered bounty_id, bounty_title, contributor, status, pr_url, and tx_hash without escaping. Any of these fields could contain HTML/JS injected via the POST /api/ledger endpoint, executing in admin browsers. Fix: Add |e (escape) filter to all user-controlled template variables. Bug 3 (High): airdrop_v2.py — Anti-Sybil bypass via API parameter The /api/airdrop/eligibility endpoint accepted skip_antisybil from user-supplied JSON body, allowing anyone to bypass wallet balance, wallet age, and GitHub age checks. An attacker could claim airdrops with fresh/empty wallets and new GitHub accounts. Fix: Hardcode skip_antisybil=False in API handler; parameter only available via direct Python calls for testing.
github-actions
Bot
added
BCOS-L1
Contributor
Author
|
Bounty claim — RTC wallet: RTCf720a28c62e0724b9f745e6dd64ad37b520c0b96 (consolidated claim on PR #1843) |
Contributor
Code Review — PR #1830Reviewer: FlintLeng ✅ LGTM— FlintLeng |
FlintLeng
approved these changes
Apr 24, 2026
FlintLeng
left a comment
FlintLeng
left a comment
Contributor
There was a problem hiding this comment.
Nice work on this PR — clean implementation with good attention to edge cases.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug Report (Bounty #305)
Bug 1: DOM XSS in faucet.py (High Severity)
The faucet response handler uses innerHTML to render wallet addresses. A malicious wallet like 0x
executes JS.
Fix: Replace innerHTML with textContent + createElement.
Bug 2: Stored XSS in payout_ledger.py (Medium Severity)
Jinja2 template renders bounty_id, contributor, pr_url etc without escaping. POST /api/ledger accepts arbitrary strings → stored XSS on admin ledger page.
Fix: Add |e escape filter to all user-controlled variables.
Bug 3: Anti-Sybil Bypass in airdrop_v2.py (High Severity)
/api/airdrop/eligibility reads skip_antisybil from user JSON body → bypasses all anti-Sybil checks (wallet balance, wallet age, GitHub age). Attacker drains 50k wRTC allocation.
Fix: Hardcode skip_antisybil=False in API handler.
Wallet: grim-cod-29