solved [BUG] Add non-existent Follower

in the jrFollower and by extension jrFriends module there isn't a check to see if the PID exists that you are trying to follow:

So if you manually try to visit /follow/follow/[INVALID_PID] or friend/friend/[INVALID_PID] such as a PID above the int value of registered users it doesn't prevent the follow/friend attempt, will return an OK and issue a blank status update to your profile:

ViXiV
@vixiv • 2 minutes ago
@vixiv is now following @
ViXiV
@vixiv • 5 minutes ago
@vixiv is now friends with @

Customizing the error messages a bit reveals that these make it to the database as well... Upon a 2nd attempt at adding one of the same invalid PID's alerts to it already existing in DB:

{"EXISTS":1,"VALUE":"friends"}
updated by @appxprt: 07/01/17 05:12:51AM

This will never show up if everyone does everything like they're supposed to be doing it, but if anyone gets a little playful they could potentially easily fill the DB up with bogus followers / friends and use it to spam their timeline. Used with cURL or wget could cause some damage most likely, such as very quickly bloating certain tables through a crawler that just requests that same page excessively but incrementing the PID variable? I'm still familiarizing myself with jamroom and took a little mini vacation, but back at it so please let me know if there is anything in place that would prevent these sort of simple attacks?

I believe a check for the PID being passed actually existing could be done around line 112 of index.php, before the new following entry is created and issued to the DB with the other checks for already following / follow approval?
updated by @appxprt: 03/18/17 11:51:40AM

Hmm this also increments the Following count on your profile stats. On my site I am following 2 people, but it has been incremented to 5 after the bogus follow links.

thanks will check this out and add some validation where required.

I sent the jrFriends module to the support email, feel free to check that out, going to be free in the marketplace hopefully...

Edit: It still needs a little work and modifications to be a true friends module
A couple of notes on jrFriends:
https://www.jamroom.net/the-jamroom-network/forum/new_posts/50821/plugin-module-licensing
updated by @appxprt: 03/18/17 01:33:15PM

Those URLs are never called directly by the user, so the chance of them being fired wrong is low. You will see it because you're developing and testing, but we will get some checks in there.

Thanks!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Checks have been added to 1.5.4 which is in the marketplace now.