search

angular / angular.js

AngularJS - HTML enhanced for web apps!
https://angularjs.org
MIT License
58.79k stars 27.48k forks source link

DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan #17045

Open veereshsg-git opened 4 years ago

veereshsg-git commented 4 years ago

πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘πŸ›‘ Hi Team - Request to provide solution to avoid below issue in Coverity scan.

Issue Details are as follows,

The property window.location.href is a source of untrusted data.

DOM-based cross-site scripting (DOM_XSS)2. sink: Calling urlResolve. This call uses window.location.href for sensitive computation. [show details] The untrusted data reaches a sink that can either lead to HTML injection, JavaScript code execution, or the manipulation of a URL starting with the "javascript:" or "data:" schemes. Any of these can lead to a DOM XSS vulnerability.

HTML injection: Either escape properly the untrusted data or use a safe API to insert this data to the DOM; direct HTML manipulation as text should be avoided.
JavaScript code execution: Validate any untrusted data against a whitelist so it's not possible for an attacker to have its supplied code executing.
URL manipulation: Make sure the scheme is whitelisted and doesn't allow for the injection of a URL like: "data:text/html;,<img/src/onerror=alert(1)>".

var originUrl = urlResolve(window.location.href);

dom

petebacondarwin commented 4 years ago

This is not the correct repository for AngularJS issues. Transferring...

petebacondarwin commented 4 years ago

Would it be possible for you to provide a test case where AngularJS was vulnerable and send it to security@angularjs.org? See https://docs.angularjs.org/guide/security for more information about reporting security issues.

veereshsg-git commented 4 years ago

Sure. Will do it. Thanks.

veereshsg-git commented 4 years ago

Hi FYI - I sent a mail to security@angularjs.org with use case details. Thanks.

IgorMinar commented 4 years ago

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not poseΒ a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

veereshsg-git commented 4 years ago

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not pose a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

Thanks for the valuable comment. It will certainly help me to proceed.