~1 min

Turn ZEIT into a Spectrum proxy

Introduction

While browsing ZEIT for aesthetic pleasure from their minimalist web design, I stumbled across “Community Chat” page, which displays live member count in their community on Spectrum.

After some analysis, I noticed the ZEIT’s API endpoint https://zeit.co/api/v1/chat this page uses for data fetching, is actually a proxy to Spectrum’s own GraphQL endpoint https://spectrum.chat/api.

Impacts

Simply proxying the endpoint from Spectrum is convenient and could reduce the development cost at ZEIT. However, it makes ZEIT prone to resource abuse.

Also, I doubt this is the intended behavior for /api/v1/chat. It should not be allowed to query anything from Spectrum.

Reproduction

Since the ZEIT’s chat endpoint is just a proxy, let’s use it to look for Haskell communities on Spectrum.

Server Request

HTTP POST /api/v1/chat
Host: zeit.co

query=query ($type: SearchType!) {
  search(queryString: "Haskell", type: $type) {
    searchResultsConnection {
      edges {
        node {
          ... on Thread {
            community {
              name
              description
            }
            content {
              title
            }
          }
        }
      }
    }
  }
}

variables={
  "type": "THREADS"
}

Server Response

{
  "data": {
    "search": {
      "searchResultsConnection": {
        "edges": [
          {
            "node": {
              "community": {
                "name": "haskell",
                "description": "A place to talk about Haskell"
              },
              "content": {
                "title": "What are some good open source Haskell projects, a beginner can start contributing to?"
              }
            }
          }
        ]
      }
    }
  }
}

As we can see, this arbitrary GraphQL query is requested through ZEIT’s API endpoint, but for the data that has a little to do with ZEIT.

Timeline

2019-01-10: Report Submitted

2019-01-19: Bug Patched by ZEIT

2019-01-19: Recruiting by ZEIT