From 19969b4fbd6b5b6da67825a69b0f317afa1327dd Mon Sep 17 00:00:00 2001 From: Wataru Date: Wed, 9 Oct 2019 09:23:34 +0900 Subject: [PATCH] =?UTF-8?q?Fixing=20Vulnerability=20A=20Fortify=20Scan=20f?= =?UTF-8?q?inds=20a=20critical=20Cross-Site=20Scrip=E2=80=A6=20(#2451)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fixing Vulnerability A Fortify Scan finds a critical Cross-Site Scripting * use var insted of const --- lib/helpers/isURLSameOrigin.js | 3 +++ lib/helpers/isValidXss.js | 6 ++++++ test/specs/helpers/isURLSameOrigin.spec.js | 4 ++++ 3 files changed, 13 insertions(+) create mode 100644 lib/helpers/isValidXss.js diff --git a/lib/helpers/isURLSameOrigin.js b/lib/helpers/isURLSameOrigin.js index f1d89ad19d..ecf9212365 100644 --- a/lib/helpers/isURLSameOrigin.js +++ b/lib/helpers/isURLSameOrigin.js @@ -1,6 +1,7 @@ 'use strict'; var utils = require('./../utils'); +var isValidXss = require('./isValidXss'); module.exports = ( utils.isStandardBrowserEnv() ? @@ -27,6 +28,8 @@ module.exports = ( href = urlParsingNode.href; } + isValidXss(url); + urlParsingNode.setAttribute('href', href); // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils diff --git a/lib/helpers/isValidXss.js b/lib/helpers/isValidXss.js new file mode 100644 index 0000000000..5783a72015 --- /dev/null +++ b/lib/helpers/isValidXss.js @@ -0,0 +1,6 @@ +'use strict'; + +module.exports = function isValidXss(requestURL) { + var regex = RegExp('+.*<\/script>'); + return regex.test(requestURL); +}; diff --git a/test/specs/helpers/isURLSameOrigin.spec.js b/test/specs/helpers/isURLSameOrigin.spec.js index c26c770351..a9d13f5f49 100644 --- a/test/specs/helpers/isURLSameOrigin.spec.js +++ b/test/specs/helpers/isURLSameOrigin.spec.js @@ -8,4 +8,8 @@ describe('helpers::isURLSameOrigin', function () { it('should detect different origin', function () { expect(isURLSameOrigin('https://github.com/axios/axios')).toEqual(false); }); + + it('should detect xss', function () { + expect(isURLSameOrigin('https://github.com/axios/axios?')).toEqual(false) + }) });