angular/angular.js

DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan

veereshsg-git opened this issue ยท 6 comments

veereshsg-git commented

๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘๐Ÿ›‘
Hi Team - Request to provide solution to avoid below issue in Coverity scan.

Issue Details are as follows,

The property window.location.href is a source of untrusted data.

DOM-based cross-site scripting (DOM_XSS)2. sink: Calling urlResolve. This call uses window.location.href for sensitive computation. [show details]
The untrusted data reaches a sink that can either lead to HTML injection, JavaScript code execution, or the manipulation of a URL starting with the "javascript:" or "data:" schemes. Any of these can lead to a DOM XSS vulnerability.

HTML injection: Either escape properly the untrusted data or use a safe API to insert this data to the DOM; direct HTML manipulation as text should be avoided.
JavaScript code execution: Validate any untrusted data against a whitelist so it's not possible for an attacker to have its supplied code executing.
URL manipulation: Make sure the scheme is whitelisted and doesn't allow for the injection of a URL like: "data:text/html;,<img/src/onerror=alert(1)>".

var originUrl = urlResolve(window.location.href);

dom

petebacondarwin commented

This is not the correct repository for AngularJS issues. Transferring...

  • ๐Ÿ‘1
petebacondarwin commented

Would it be possible for you to provide a test case where AngularJS was vulnerable and send it to security@angularjs.org? See https://docs.angularjs.org/guide/security for more information about reporting security issues.

  • ๐Ÿ‘1
veereshsg-git commented

Sure. Will do it. Thanks.

veereshsg-git commented

Hi FYI - I sent a mail to security@angularjs.org with use case details. Thanks.

IgorMinar commented

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not pose a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

  • ๐Ÿ‘1
veereshsg-git commented

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not pose a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

Thanks for the valuable comment. It will certainly help me to proceed.