Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove code for special decoding of webdav response. #1520

Merged
merged 1 commit into from
Apr 24, 2024
Merged

Conversation

ewelinagr
Copy link
Member

@ewelinagr ewelinagr commented Apr 24, 2024

The decodeHTMLEntities seems not to be needed and it introduces vulnerability: "DOM text reinterpreted as HTML" - CWE-79, CWE-116.

There is an issue with special characters in external storages, but this function doesn't fix the problem (reported in FAIRSPC-62)

decodeHTMLEntities seems not to be needed and it introduces
vulnerability: "DOM text reinterpreted as HTML" -  CWE-79, CWE-116
@@ -479,12 +472,6 @@ class FileAPI {
mapToFile = fileObject => {
const properties = {...fileObject, ...(fileObject.props || {})};
delete properties.props;
Object.keys(properties).forEach(key => {
// The WebDAV client does not properly decode the XML response,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me be honest, I still don't understand this part of the code. Did you check the problem this piece of code solves? Don't we remove a fix of something?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean I see your comment, I saw the ticket you created. Does this ticket cover the issue? How critical is it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is the thing, it doesn't seem to be solving any problem. Maybe there was something in previous versions of webdav, but now with or without it makes no difference (I tried various properties, various special characters - still no difference if it is there or not)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good, let's indeed remove it and see how it goes

@ewelinagr ewelinagr merged commit 9e0d1d0 into dev Apr 24, 2024
6 checks passed
@ewelinagr ewelinagr deleted the fix-codeql branch April 24, 2024 10:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants