Skip to content
This repository has been archived by the owner on Apr 13, 2022. It is now read-only.

DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan #17045

Open
veereshsg-git opened this issue Jun 15, 2020 · 6 comments
Open

DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan #17045

veereshsg-git opened this issue Jun 15, 2020 · 6 comments

Comments

@veereshsg-git
Copy link

馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃
Hi Team - Request to provide solution to avoid below issue in Coverity scan.

Issue Details are as follows,

The property window.location.href is a source of untrusted data.

DOM-based cross-site scripting (DOM_XSS)2. sink: Calling urlResolve. This call uses window.location.href for sensitive computation. [show details]
The untrusted data reaches a sink that can either lead to HTML injection, JavaScript code execution, or the manipulation of a URL starting with the "javascript:" or "data:" schemes. Any of these can lead to a DOM XSS vulnerability.

HTML injection: Either escape properly the untrusted data or use a safe API to insert this data to the DOM; direct HTML manipulation as text should be avoided.
JavaScript code execution: Validate any untrusted data against a whitelist so it's not possible for an attacker to have its supplied code executing.
URL manipulation: Make sure the scheme is whitelisted and doesn't allow for the injection of a URL like: "data:text/html;,<img/src/onerror=alert(1)>".

var originUrl = urlResolve(window.location.href);

dom
@petebacondarwin
Copy link
Member

This is not the correct repository for AngularJS issues. Transferring...

@petebacondarwin petebacondarwin transferred this issue from angular/angular Jun 15, 2020
@petebacondarwin
Copy link
Member

Would it be possible for you to provide a test case where AngularJS was vulnerable and send it to security@angularjs.org? See https://docs.angularjs.org/guide/security for more information about reporting security issues.

@veereshsg-git
Copy link
Author

Sure. Will do it. Thanks.

@veereshsg-git
Copy link
Author

Hi FYI - I sent a mail to security@angularjs.org with use case details. Thanks.

@IgorMinar
Copy link
Contributor

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not pose聽a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

@veereshsg-git
Copy link
Author

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not pose a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

Thanks for the valuable comment. It will certainly help me to proceed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@petebacondarwin @IgorMinar @veereshsg-git