Angular.js: DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan

Created on 15 Jun 2020  路  6Comments  路  Source: angular/angular.js

馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃
Hi Team - Request to provide solution to avoid below issue in Coverity scan.

Issue Details are as follows,

The property window.location.href is a source of untrusted data.

DOM-based cross-site scripting (DOM_XSS)2. sink: Calling urlResolve. This call uses window.location.href for sensitive computation. [show details]
The untrusted data reaches a sink that can either lead to HTML injection, JavaScript code execution, or the manipulation of a URL starting with the "javascript:" or "data:" schemes. Any of these can lead to a DOM XSS vulnerability.

HTML injection: Either escape properly the untrusted data or use a safe API to insert this data to the DOM; direct HTML manipulation as text should be avoided.
JavaScript code execution: Validate any untrusted data against a whitelist so it's not possible for an attacker to have its supplied code executing.
URL manipulation: Make sure the scheme is whitelisted and doesn't allow for the injection of a URL like: "data:text/html;,<img/src/onerror=alert(1)>".

var originUrl = urlResolve(window.location.href);

dom

picture veereshsg-git

All 6 comments

This is not the correct repository for AngularJS issues. Transferring...

petebacondarwin picture petebacondarwin on 15 Jun 2020
👍1

Would it be possible for you to provide a test case where AngularJS was vulnerable and send it to [email protected]? See https://docs.angularjs.org/guide/security for more information about reporting security issues.

petebacondarwin picture petebacondarwin on 15 Jun 2020
👍1

Sure. Will do it. Thanks.

veereshsg-git picture veereshsg-git on 15 Jun 2020

Hi FYI - I sent a mail to [email protected] with use case details. Thanks.

veereshsg-git picture veereshsg-git on 15 Jun 2020

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not pose聽a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

IgorMinar picture IgorMinar on 16 Jun 2020
👍1

This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way.

So the way we interact with that API does not pose a problem and it's safe to ignore the warning.

We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one.

Thanks for the valuable comment. It will certainly help me to proceed.

veereshsg-git picture veereshsg-git on 16 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mbykovskyy picture mbykovskyy  路  69Comments
ttopalov picture ttopalov  路  154Comments
wahyd4 picture wahyd4  路  73Comments
phaas picture phaas  路  69Comments
georgiosd picture georgiosd  路  124Comments