Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

incomplete-sanitization in getUrl.js #1621

Open
ruchira-net opened this issue Nov 22, 2024 · 0 comments
Open

incomplete-sanitization in getUrl.js #1621

ruchira-net opened this issue Nov 22, 2024 · 0 comments

Comments

@ruchira-net
Copy link

Bug report

When scanned with CodeQL scanner, it finds a incomplete sanitization issue in the getUrl.js file.

Actual Behavior

Below method doesn't escape backslash characters in the input.

image

Expected Behavior

Method should sanitize untrusted input for preventing injection attacks such as SQL injection or cross-site scripting (Even if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output).

How Do We Reproduce?

  1. Open the Wave analysis extension in VSCode.
  2. Click Add Analysis Tools and select CodeQL.

image

  1. Click OK

image

  1. Run the CodeQL scanner
  2. You should see that it complains about the method in the getUrl.js file as below

image

Please paste the results of npx webpack-cli info here, and mention other relevant information

System:
OS: Windows 11 10.0.26100
CPU: (12) x64 12th Gen Intel(R) Core(TM) i7-1255U
Memory: 13.15 GB / 31.69 GB
Binaries:
Node: 21.6.2 - C:\Program Files\nodejs\node.EXE
npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Chromium (130.0.2849.46)
Internet Explorer: 11.0.26100.1882
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ruchira-net