Closed tripu closed 5 years ago
@tripu I went through the tests, so far as I could understand them; here is the checklist so far. There are some open issues for which you may have an answer.
[ ] Data validation
[ ] XSS: Sanitize user input: that may be necessary for the data received via the HTTP POST that is issued when the form is submitted. Not sure how and what to do about it: how do I ensure that the input is proper text without any executable? Or is it necessary to check? There is no eval
or similar in the program.
Is it necessary to check whether the input is not too large? Ie, that it would not override some buffers? Or do browsers have protections for this?
[X] SQL Injection: not applicable, there is no underlying database handling.
[x] Command Injection: again, sanitize user input, mostly URL-s. I am not sure what is to be done.
s/.../.../
feature uses regular expressions internally, by turning the first string into a regex (this is used to ensure that all occurrences in a line of the match are changed). The safe-check
approach has been implemented for this (as part of PR #33)catch
or throw
calls. At some place, potentially, secret information like the gh token could spill to the public; I have obfuscated those (as part of PR #33) I also do not know whether the usage of local storage in the browser has separate vulnerabilities.
Good work, @iherman! I'll review your PR very soon.
(You see? You're beginning to love Node.js development… ;)
Good work, @iherman! I'll review your PR very soon.
There are, actually, only very few changes in the PR. But there are a number of questions in the list of items for which I do not really have an answer...
Added some changes on URL sanitation, see comment in #33.
I guess this issue is also moot with the disappearance of the CGI interface
noindex
nofollow