stoodkev / steemplus-api Goto Github PK

Expected behavior

The job that updates the SPP (Steemplus Points) should only run every hour, as mentioned in the coding.

Only authorized persons should be able to start resource-intensive jobs on the steemplus api server. Such a functionality is never to be exposed via an api.

Actual behavior

Every user is able to call the mentioned api endpoint to start the job manually. A malicious user could use this to overload the steemplus api server, resulting in a DOS (Denial-of-Service) attack.

How to reproduce

It is easily possible to reproduce the bug by just calling the specific endpoint for the api:
/job/update-steemplus-points

Solution

A solution could be to secure the api endpoint via a private key saved in the config. With this only authorized users can call the function.
Another solution would be to not expose this function to the api at all and only call it internally via a cronjob or similar.

I decided to go with solution number one and started a pull-request for it:
Pull-Request

Recording Of The Bug

Before executing the job:

Executing the job:

After executing the job:

As we see my user-information was created and my points where updated without waiting for an hour.

Expected behavior

SteemPlus Points (SPP) should be rewarded for various activities, such as promoting your post with minnowbooster or postpromoter.

Actual behavior

Only transfers to minnowbooster are counted. This is caused by a wrong condition in the sql statement that the job uses to calculate the points.
Other activities to earn points like setting steemplus-pay as a beneficiary still works as expected.

How to reproduce

• Send 1 SBD to postpromoter
• Wait 1 hour so that the job runs
• Check the API to see that your points weren't updated and the transfer wasn't included.

Solution

The solution is very simple.
In the SQL-Statement one has to replace the [from] with a [to].
Turning from this:

To this:

Another indicator that "to" is the right field to use is the fact that later the field is later used to determine the type of transaction.

I would have made a Pull-Request for it, but after telling @cedricguillas (who is in charge for this function) what and where the problem is he immediately started working on it. (Making a PR and juggle with the issue would probably be just more overhead than quickly replacing the word himself. )

Recording Of The Bug

Before promoting my post with postpromoter:

Promoting a post:

After promoting my post with postpromoter:

_{(click the picture to enlarge)}
It is somewhat difficult to see , but my points weren't increased and only the transfer to minnowbooster which I had before was counted.

Already told @cedricguillas about it, who already implemented a fix.

Project Information

• Repository: https://github.com/stoodkev/SteemPlus and https://github.com/stoodkev/steemplus-api
• Project Name: SteemPlus
• Publisher (if applicable): @stoodkev @steem-plus

Expected behavior

Showing All of the Mentions

Actual behavior

The SteemPlus Mentions Tool Does not Show Some Mentions

How to reproduce

I suspected that not all mentions were shown at the SteemPlus Mentions Tool. For this, I looked at my mentions in recent days. I compared them. I noticed that some mentions were not shown at the SteemPlus Mentions Tool. Steemplus does not show me some of my mentions. These mentions were added a day ago, 3 days ago, 10 days ago and 19 days ago.
The Steemplus Mentions Tool is not working correctly. Steemplus-api can not process all of the mention datas. So some mentions are not shown on SteemPlus Mentions Tool. So, it should be fixed.

• Browser Version: Google Chrome 66.0.3359.139 (32 bit)
• Operating System: Windows 7 professional SP1 (32 bit)
  İntel Core 2 Duo 2.13 Ghz , 4 gb RAM
• Extension Version 1: SteemPlus 2.11.3.1

Recording Of The Bug

• You can see all of the Mentions from the last 30 days shown by Steemplus Mentions Tool:
  

• These comment mentions added 7 days ago but are not listed in the SteemPlus Mentions Tool:
  

• This post mention added 3 days ago and are not listed in the SteemPlus Mentions Tool:
  

• This post mention added 10 days ago and are not listed in the SteemPlus Mentions Tool:
  

• This post mention added 19 days ago and are not listed in the SteemPlus Mentions Tool:
  

GitHub Account

https://github.com/emirfirlar