engdorm
commented
2 years ago @RianMartins-Movai or anyone else from @MOV-AI/frontend-team please check again pushed a fix I checked and then the layout works!!!
Closed engdorm closed 2 years ago
engdorm
commented
2 years ago @RianMartins-Movai or anyone else from @MOV-AI/frontend-team please check again pushed a fix I checked and then the layout works!!!
By default, when we request to open front-end application, URL parameters might be passed, and those parameters are returned back in the response.
But when there’s malicious scripting in the URL parameters, they are not executed, but they’re also returned in the response. We should block the request raising some exceptions and not rendering the app if it contains scripting.
What I did here in this PR is just decode the request params and check if they contain scripting, but might be other types of malicious code that should also be prevented, and back-end team might have better ideas of implementation to fix this.
This PR is meant to fix two types of vulnerabilities caught by Qualys scan:
https://movai.atlassian.net/browse/BP-571
https://movai.atlassian.net/browse/BP-572