help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Forum Bugs

Replies are disabled for this topic. Start a new one or visit our Help Center.

‎07-31-2020 14:07

‎07-31-2020 14:07

Bug #1: Requested to do something which user has no permissions for

When creating a feature post, it asks if you want to upload an image with the post:

Attach a file hereAttach a file here

But if you attach the image, the request fails and the UI hangs indefinitely.  Here's the XHR request:

API responseAPI response

Bug #2: Missing angular translation

After submitting a feature request, the following is displayed on the success page.

Screenshot from 2020-07-31 13-23-35.png

 

Potential Bug #3: Raw SQL in API requests

You can craft SQL statements in the community API in order to dump a list of users.  I wouldn't be surprised if you could do a lot more than that, so it might need some security research.

 

If you look at the XHR requests in the screenshot from earlier, you'll see a lot of SELECT statements repeating.  If you open that page in your browser and edit some parameters, it has no problem with the inputs.

Ex: random 100 user profiles: https://community.fitbit.com/xmnuz23762/api/2.0/search?q=SELECT+id,+login,+avatar.profile,+rank,+vie...

 

I tried up to a limit of 1000 and although it takes quite a while to respond, it will indeed return 1000 users.  This could potentially be used to DOS the community forums.

Best Answer
0 Votes
1 REPLY 1

‎07-31-2020 14:50

‎07-31-2020 14:50

With a limit of 1000, it takes 52 seconds for the server to respond. This is time it's cranking away. 😐

$ curl -o /dev/null -w '%{time_starttransfer}\n' https://community.fitbit.com/xmnuz23762/api/2.0/search?q=SELECT+id,+login,+avatar.profile,+rank,+view_href+FROM+users+LIMIT+1000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  363k    0  363k    0     0   6752      0 --:--:--  0:00:55 --:--:-- 97512
52.607012
Best Answer
0 Votes