[Security] NID parameter not URL-encoded in API requests, allowing query parameter injection

[numbers-official]

Summary

The nid parameter is directly interpolated into API URL query strings in src/asset/asset-service.ts without encodeURIComponent(), allowing an attacker to inject additional query parameters or modify the request path.

Affected Code

File: src/asset/asset-service.ts

Line 10:

const response = await fetch(`${Constant.url.dataApi}?nid=${nid}`, {

Line 76:

const response = await fetch(`${Constant.url.productApi}?nid=${nid}&available=true&limit=1`, {

Line 97:

const response = await fetch(`${Constant.url.assetApi}${nid}/`, {

Impact

• Risk Level: Medium
• A malicious nid value such as foo&admin=true or ../other-endpoint could modify the intended API request
• The nid originates from HTML attributes (<capture-eye nid="...">) which are attacker-controllable in contexts like WordPress/Elementor where user input flows into the attribute (see related issue [Security] Missing output escaping in Elementor widget render() and content_template() #73)
• On line 97, the nid is embedded directly in the URL path (${Constant.url.assetApi}${nid}/), making path traversal possible (e.g., nid="../../admin/endpoint")

Suggested Fix

Apply encodeURIComponent() to all nid values before URL interpolation:

const encodedNid = encodeURIComponent(nid);
const response = await fetch(`${Constant.url.dataApi}?nid=${encodedNid}`, { ... });

Additionally, consider adding a basic NID format validation function (e.g., alphanumeric + limited special chars) that rejects clearly malformed values before any API call.