The Wayback Machine - http://web.archive.org/web/20221225073915/https://github.com/angular/angular.js/issues/17045
Skip to content
This repository has been archived by the owner before Nov 9, 2022. It is now read-only.

DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan #17045

Open

veereshsg-git opened this issue Jun 15, 2020 · 6 comments
Open

DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan #17045

veereshsg-git opened this issue Jun 15, 2020 · 6 comments

Comments

@veereshsg-git
Copy link

veereshsg-git commented Jun 15, 2020

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑
Hi Team - Request to provide solution to avoid below issue in Coverity scan.

Issue Details are as follows,

The property window.location.href is a source of untrusted data.

DOM-based cross-site scripting (DOM_XSS)2. sink: Calling urlResolve. This call uses window.location.href for sensitive computation. [show details]
The untrusted data reaches a sink that can either lead to HTML injection, JavaScript code execution, or the manipulation of a URL starting with the "javascript:" or "data:" schemes. Any of these can lead to a DOM XSS vulnerability.

HTML injection: Either escape properly the untrusted data or use a safe API to insert this data to the DOM; direct HTML manipulation as text should be avoided.
JavaScript code execution: Validate any untrusted data against a whitelist so it's not possible for an attacker to have its supplied code executing.
URL manipulation: Make sure the scheme is whitelisted and doesn't allow for the injection of a URL like: "data:text/html;,<img/src/onerror=alert(1)>".

var originUrl = urlResolve(window.location.href);

dom
@petebacondarwin
Copy link
Member

petebacondarwin commented Jun 15, 2020

This is not the correct repository for AngularJS issues. Transferring...

@petebacondarwin petebacondarwin transferred this issue from angular/angular Jun 15, 2020
@petebacondarwin
Copy link
Member

petebacondarwin commented Jun 15, 2020

Would it be possible for you to provide a test case where AngularJS was vulnerable and send it to security@angularjs.org? See https://docs.angularjs.org/guide/security for more information about reporting security issues.

@veereshsg-git
Copy link
Author

veereshsg-git commented Jun 15, 2020

Sure. Will do it. Thanks.

@veereshsg-git
Copy link
Author

veereshsg-git commented Jun 15, 2020

Hi FYI - I sent a mail to security@angularjs.org with use case details. Thanks.

@IgorMinar
Copy link
Contributor

IgorMinar commented Jun 16, 2020

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not pose a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

@veereshsg-git
Copy link
Author

veereshsg-git commented Jun 16, 2020

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not pose a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

Thanks for the valuable comment. It will certainly help me to proceed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@petebacondarwin @IgorMinar @veereshsg-git