I’ve been working on a service which is to be triggered by a webhook.
The process ends with an email to the initial requester with a link to the data where they can download it from.
On of the things I want to include was/is a summary of the request to help the user figure out what it is they requested when they look at the email. But that requires me consuming and then giving back the user their own input. In testing I’ve found that it’s really easy to just inject key words into the request. There are certain key words that just get resolved directly meaning I couldn’t even try and sanitize the request.
Is this a lost cause? Has anyone else battled with this?
For example if the request was something like
{
“parameter1”: “{event.id}”
}Then {event.id} just gets resolved and if I’ve using “parameter1” in my email then it just gets set out as the event id.
