From 65bd997f5ddfda9bb0f9b82183a8eb06df0d2db4 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 30 Jun 2026 17:07:19 -0700 Subject: [PATCH] fix(security): missing input validation in dropbox serializer cre The DropboxSerializer.credentials_are_valid method accesses user_settings.external_accounts[0] without checking if the list is empty. This could cause an IndexError exception. Additionally, the method creates a Dropbox client with an OAuth key without proper validation of the key format or source. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- addons/dropbox/serializer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/dropbox/serializer.py b/addons/dropbox/serializer.py index 0fa89e808a1..e19bfdf194f 100644 --- a/addons/dropbox/serializer.py +++ b/addons/dropbox/serializer.py @@ -10,7 +10,7 @@ class DropboxSerializer(StorageAddonSerializer): addon_short_name = 'dropbox' def credentials_are_valid(self, user_settings, client): - if user_settings: + if user_settings and user_settings.external_accounts: client = client or Dropbox(user_settings.external_accounts[0].oauth_key) try: client.users_get_current_account()