Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

incomplete-sanitization in getUrl.js #1621

Closed
ruchira-net opened this issue Nov 22, 2024 · 1 comment
Closed

incomplete-sanitization in getUrl.js #1621

ruchira-net opened this issue Nov 22, 2024 · 1 comment

Comments

@ruchira-net
Copy link

Bug report

When scanned with CodeQL scanner, it finds a incomplete sanitization issue in the getUrl.js file.

Actual Behavior

Below method doesn't escape backslash characters in the input.

image

Expected Behavior

Method should sanitize untrusted input for preventing injection attacks such as SQL injection or cross-site scripting (Even if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output).

How Do We Reproduce?

  1. Open the Wave analysis extension in VSCode.
  2. Click Add Analysis Tools and select CodeQL.

image

  1. Click OK

image

  1. Run the CodeQL scanner
  2. You should see that it complains about the method in the getUrl.js file as below

image

Please paste the results of npx webpack-cli info here, and mention other relevant information

System:
OS: Windows 11 10.0.26100
CPU: (12) x64 12th Gen Intel(R) Core(TM) i7-1255U
Memory: 13.15 GB / 31.69 GB
Binaries:
Node: 21.6.2 - C:\Program Files\nodejs\node.EXE
npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Chromium (130.0.2849.46)
Internet Explorer: 11.0.26100.1882
ruchira-net added a commit to ruchira-net/css-loader that referenced this issue Nov 22, 2024
@ruchira-net
webpack-contrib#1621 fix: correct escaping of backslashes in URL wrap…
0d0e829 
…ping
@ruchira-net ruchira-net mentioned this issue Nov 22, 2024
Closed
4 tasks
ruchira-net added a commit to ruchira-net/css-loader that referenced this issue Nov 26, 2024
@ruchira-net
webpack-contrib#1621 fix: complication error
65245c9
ruchira-net added a commit to ruchira-net/css-loader that referenced this issue Nov 26, 2024
@ruchira-net
test: add snapshot and test case for URL escaping with backslashes (w…
e027815 
…ebpack-contrib#1621)
ruchira-net added a commit to ruchira-net/css-loader that referenced this issue Dec 2, 2024
@ruchira-net
test: update URL snapshot and test case for escaping backslashes (web…
28ca565 
…pack-contrib#1621)
@alexander-akait
Copy link
Member

#1622 (comment), It looks like the utility has false positive result here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexander-akait @ruchira-net