New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fortify Scan throwing a critical vulnerability #2165
Comments
To help elaborate a bit, the helper in question is utils.isStandardBrowserEnv() ?
// Standard browser envs have full support of the APIs needed to test
// whether the request URL is of the same origin as current location.
(function standardBrowserEnv() {
var msie = /(msie|trident)/i.test(navigator.userAgent);
var urlParsingNode = document.createElement('a');
var originURL;
/**
* Parse a URL to discover it's components
*
* @param {String} url The URL to be parsed
* @returns {Object}
*/
function resolveURL(url) {
var href = url;
if (msie) {
// IE needs attribute set twice to normalize properties
urlParsingNode.setAttribute('href', href);
href = urlParsingNode.href;
}
urlParsingNode.setAttribute('href', href);
// urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
return {
href: urlParsingNode.href,
protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '',
host: urlParsingNode.host,
search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '',
hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '',
hostname: urlParsingNode.hostname,
port: urlParsingNode.port,
pathname: (urlParsingNode.pathname.charAt(0) === '/') ?
urlParsingNode.pathname :
'/' + urlParsingNode.pathname
};
}
originURL = resolveURL(window.location.href); It all stems from setAttribute but as far as I can tell, the anchor is only used as a url api and should be exposed to the user. |
0.19.0 has a fix and has been released |
@emilyemorehouse are you sure? I checked source and I still see setAttribute being used in the file mentioned above.
|
@emilyemorehouse I'm having same problem with Fortify, the error was: Cross-Site Scripting: DOM [0] at isURLSameOrigin.js#26 [1]
Can you open this issue again? [0] https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.cross_site_scripting_dom#JavaScript |
@correamarques was your Fortify scan ☝️ against version 0.19.0 that @emilyemorehouse said had a fix for the finding? |
I'm seeing the same issue, also with Fortify Scan, same lines of code, in version 0.19.0 of axios. Can we reopen this issue @emilyemorehouse? |
snyk also complains about this (newer 0.19 version):
|
Can this XSS issue be triggered in what scenario?How to avoid this problem? |
Guys from Snyk say it's a false positive. |
Had an issue with the Fortify scans of our application, where a critical vulnerability was logged due to XSS : Dom.
The exact code causing the issue wasn't located and instead the issue was located in the minified build JS file. Upon further perusal, I located the issue in the 'Axios' library.
Has anyone faced a similar problem before or is there a patch available for this?
Thanks!
The text was updated successfully, but these errors were encountered: