feat: Rule - Deserialization of untrusted data

[kgilpin]

OK, I will fix the doc. Thanks for taking a look at this.

On Fri, Jan 21, 2022 at 11:38 AM Rafał Rzepecki @.***> wrote:

@.**** commented on this pull request.

In src/rules/deserializationOfUntrustedData.ts https://github.com/applandinc/scanner/pull/86#discussion_r789817772:

• event.labels.has(label) &&
• !!event.returnValue &&
• !!event.returnValue.object_id &&
• event.returnValue.object_id === objectId

Ah, ok, I understand now; took me a while :) It's a bit difficult to follow like this, although I suppose it can hardly be improved without implementing some kind of explicit data flow analysis.

BTW, maybe what confused me is that's not what the doc says -- it says sanitization should modify the data in place and return truthy. (Which is not how most sanitization functions work, so this is definitely better.)

— Reply to this email directly, view it on GitHub https://github.com/applandinc/scanner/pull/86#discussion_r789817772, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAVC6537G2DI2SOLSEPHULUXGDZVANCNFSM5MN6OZ6Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>

[appland-release]

:tada: This PR is included in version 1.36.0 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket: