GitHub Code Scanning Alerts on hub.challenge when using Express.js
NotMyself opened this issue · 0 comments
NotMyself commented
We are implementing a subscriber to the Twitch.tv API. The GitHub Code Scanning system flags it as a CWE-79 and CWE-116 violation.
It suggests escaping the value like this:
response.status(200).send(escape(request.query['hub.challenge']));
Section 5.3.1 Verification Details says that the subscriber MUST respond with a status of 200 and response body equal to the hub.challenge
value. It does not offer a format for the hub.challenge
value. Escaping it could alter the value in a way that makes it unacceptable to the hub.
I suspect in implementation that it is just a hash, but it is not a part of the spec so cannot be relied on.
Tracking here: michaeljolley/number-one#76