openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

snapapi: session 53 — security fix for free signup vulnerability

Browse source
This commit is contained in:
Hoid 2026-03-03 21:09:49 +01:00
parent a3848df0e9
commit e4d9233ab7
3 changed files with 56 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
projects/snapapi/memory/bugs.md
View file

@ -78,6 +78,14 @@
- **Root cause:** v0.5.2 image was built before usage dashboard commit (5b59a7a)
- **Fix:** Needs new production deploy after staging verified
### BUG-016: Free signup route still mounted in production (HIGH) — FIXED (staging)
- **Found:** Session 53 (self-discovered)
- **Impact:** /v1/signup/free still active on production — anyone can generate unlimited free API keys despite free tier being "removed" in v0.3.0
- **Root cause:** Route was removed from pricing/landing page but `signupRouter` was never unmounted from `index.ts`
- **Fix:** Removed signup import + route registration, deleted dead `signup.ts` file, added test verifying 404. Cleaned up leaked test key + verified 5 remaining keys are all QA artifacts.
- **Deployed to staging:** Yes (commit f3a363f, image imported to w1+w2). Verified: 404 on staging.
- **Production:** ⚠️ STILL VULNERABLE — needs production deploy (v* tag) to fix. This is a security issue.
## Open
### BUG-015: Python SDK missing URL validation for ScreenshotOptions object (LOW) — FIXED