codeql提到,
missing-origin-check会:
Missing origin verification in a postMessage handler allows any windows to send arbitrary data to the handler.
overly-large-range会:
Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer.
这两个好像都跟CWE-20有关。
System information
apollo.sh configif onmasterbranch: root@in-dev-docker:/apollo# ./apollo.sh config [INFO] No rocm-smi found. [INFO] NVIDIA GPU device found. [INFO] Apollo Environment Settings: [INFO] APOLLO_ROOT_DIR: /apollo [INFO] APOLLO_CACHE_DIR: /apollo/.cache [INFO] APOLLO_IN_DOCKER: true [INFO] APOLLO_VERSION: master-2024-05-23-54c820207c [INFO] DOCKER_IMG: dev-x86_64-18.04-20240326_1453 [INFO] APOLLO_ENV: STAGE=dev USE_ESD_CAN=false [INFO] USE_GPU_HOST: 1 [INFO] USE_GPU_TARGET: 1 [INFO] GPU_PLATFORM: NVIDIA [INFO] Configure .apollo.bazelrc in non-interactive mode [INFO] You have bazel 5.2.0 installed. [INFO] Found possible Python library paths: /usr/lib/python3/dist-packages /usr/local/lib/python3.6/dist-packages [INFO] Found CUDA 11.1 in: /usr/local/cuda-11.1/targets/x86_64-linux/lib /usr/local/cuda-11.1/targets/x86_64-linux/include [INFO] Found cuDNN 8 in: /usr/lib/x86_64-linux-gnu /usr/include [INFO] Found TensorRT 7 in: /usr/lib/x86_64-linux-gnu /usr/include/x86_64-linux-gnu [ OK ] Successfully configured .apollo.bazelrc in non-interactive mode. [INFO] Usage: /apollo/scripts/apollo_config.sh [Options] [INFO] Options: [INFO] -i|--interactive Run in interactive mode [INFO] -n|--noninteractive Run in non-interactive mode [INFO] -h|--help Show this message and exitSteps to reproduce the issue:
./codeql/codeql database create codetest --db-cluster --language python,javascript --no-run-unnecessary-buildsSupporting materials (screenshots, command lines, code/script snippets):
postMessagehandler allows any windows to send arbitrary data to the handler. overly-large-range会: Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer. 这两个好像都跟CWE-20有关。