zongxr / supermarket Goto Github PK

Recently, our team found an arbitrary cart update vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/GoogleLLP/SuperMarket/blob/master/cart/src/main/java/com/supermarket/cart/controller/CartController.java#L73. Access to the /manage/update API is unauthorized, allowing attackers to update the information of arbitrary cart via a crafted cart object.

To address this vulnerability, we recommend that developers implement access control policies to limit API access to privileged users and cart owners only.

Recently, our team found an arbitrary order addition vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/GoogleLLP/SuperMarket/blob/master/order/src/main/java/com/supermarket/order/controller/OrderController.java#L36. Access to the /manage/save API is unauthorized, allowing attackers to add orders as any user via a crafted order object.

To address this vulnerability, we strongly recommend that developers implement access control policies to limit the order addition operation.

请问一下这个项目是不是没有部署elasticsearch就启动不成功啊。
现在启动eureka报错了：

Recently, our team found an arbitrary cart deletion vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/GoogleLLP/SuperMarket/blob/master/cart/src/main/java/com/supermarket/cart/controller/CartController.java#L96. Access to the /manage/delete API is unauthorized, allowing attackers to delete arbitrary cart via a crafted cart object.

To address this vulnerability, we recommend that developers implement access control policies to limit API access to privileged users and cart owners only.

Recently, our team found an arbitrary cart details access vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/GoogleLLP/SuperMarket/blob/master/cart/src/main/java/com/supermarket/cart/controller/CartController.java#L35.

Access to the /manage/query?userId= API is unauthorized, allowing attackers to manipulate the userId request parameter and access other users' cart details, potentially compromising user privacy data.

To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or cart owners can access the information.

有了架构图，大家就可以快速了解整个项目个架构。

start_app.sh里面run的image名称和pull的image名称不一致，跑sh的时候报错

这个项目是通过jdk11构建的~

1. 如题
2. 可以考虑使用 maven 构建项目，jar 包太多了导致仓库特别大，国内网速你懂的。

Recently, our team found an arbitrary order deletion vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/GoogleLLP/SuperMarket/blob/master/order/src/main/java/com/supermarket/order/controller/OrderController.java#L74. Unauthorized access to the /manage/delete/{orderId} API enables attackers to manipulate the path variable orderId and delete orders belonging to other users.

To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the order owner are authorized to perform the delete operation.

缺少很多文档,也没有接口文档

Recently, our team found an arbitrary order detail access vulnerability in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/GoogleLLP/SuperMarket/blob/master/order/src/main/java/com/supermarket/order/controller/OrderController.java#L59. Access to the /manage/query/{userId} API is unauthorized, allowing attackers to manipulate the path variable userId and access other users' order details, potentially compromising user privacy data.

To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the owner can access the order information.

Recently, our team found an arbitrary cart addition vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/GoogleLLP/SuperMarket/blob/master/cart/src/main/java/com/supermarket/cart/controller/CartController.java#L50. Access to the /manage/save API is unauthorized, allowing attackers to add carts for any user via a crafted cart object.

To address this vulnerability, we recommend that developers implement access control policies to ensure that users can only add items to their own cart.