Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability #6351

Open
swetha8612 opened this issue Apr 12, 2024 · 4 comments
Open

Security vulnerability #6351

swetha8612 opened this issue Apr 12, 2024 · 4 comments

Comments

@swetha8612
Copy link

Describe the issue

As part of our company's security policy, we run all our application through fortify scan. Fortify scan raised a flag in axios.js file where setAttribute('href' href) has been used. It is suggesting to validate data which passes through this setAttribute('href' href). Could you please suggest something. Thank you.

Example Code

No response

Expected behavior

No response

Axios Version

No response

Adapter Version

No response

Browser

No response

Browser Version

No response

Node.js Version

No response

OS

No response

Additional Library Versions

No response

Additional context/Screenshots

No response

@jasonsaayman
Copy link
Member

at a glance without going into the code i believe this is inside of the tests, I think it may be a false positive, please send drop the CVE link

@swetha8612
Copy link
Author

Thank you for your response. I don't have CVE link but have some data from fortify scan. The file path in the repo is \axios\dist\axios.js

In this case, the data is sent at setAttribute() in axios.js file.

The malicious content sent to the web browser often takes the form of a JavaScript segment, but can also include HTML, Flash or any other type of code that the browser executes. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data such as cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.
Cross-site scripting (XSS) vulnerabilities occur when:

  1. Data enters a web application through an untrusted source. In the case of DOM-based XSS, data is read from a URL parameter or other value within the browser and written back into the page with client-side code. In the case of reflected XSS, the untrusted source is typically a web request, while in the case of persisted (also known as stored) XSS it is typically a database or other back-end data store.

  2. The data is included in dynamic content that is sent to a web user without validation. In the case of DOM-based XSS, malicious content is executed as part of DOM (Document Object Model) creation, whenever the victim's browser parses the HTML page.

@scku208
Copy link

scku208 commented Sep 27, 2024

Hello @jasonsaayman , I think I have encountered a similar issue. I used Checkmarx for vulnerability scanning, and the Axios version is 1.7.7.

The documentation explains that in the axios.js, the source is line 793, and the destination is line 782.

....
780.
781.
function s(o) {
let i = o;

....
782. return t && (n.setAttribute("href", i), i = n.href),
n.setAttribute("href", i), {

....
793.
return r = s(window.location.href),

However, since this is the result after the Vue build, I suspect it should be the following function.
(It looks like "function s -> resolveURL, parameter url -> o, var href -> i")

from line 2656:

function resolveURL(url) {
    var href = url;
    if (msie) {
      // IE needs attribute set twice to normalize properties
      urlParsingNode.setAttribute('href', href);
      href = urlParsingNode.href;
    }
    urlParsingNode.setAttribute('href', href);

    // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
    return {
      href: urlParsingNode.href,
      protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '',
      host: urlParsingNode.host,
      search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '',
      hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '',
      hostname: urlParsingNode.hostname,
      port: urlParsingNode.port,
      pathname: urlParsingNode.pathname.charAt(0) === '/' ? urlParsingNode.pathname : '/' + urlParsingNode.pathname
    };
  }
originURL = resolveURL(window.location.href);

If there is confirmed cybersecurity risk, I hope you can assist in handling it.

The following is what I found in CHATGPT. It suggested the following solutions:

The issue you encountered is due to unfiltered or unencoded external input being directly embedded into HTML attributes in the axios-DsPaXkF5.js file, which can lead to potential cross-site scripting (XSS) attacks. This is a security vulnerability that should be properly addressed. Here are a few solutions:

  1. Parameter Validation and Sanitization
    Ensure that all inputs for the href attribute are validated and sanitized. You can use a function to filter or sanitize untrusted inputs. For example:
function sanitizeUrl(url) {
    // Check URL format
    const urlPattern = /^(https?:\/\/|\/|#)/; // Allowed URL formats
    if (!urlPattern.test(url)) {
        return '#'; // Return default value to avoid unsafe URLs
    }
    return url;
}
// Use this function to sanitize before setting the href attribute:
let safeUrl = sanitizeUrl(i);
n.setAttribute("href", safeUrl);
  1. Use DOMPurify
    If you need to support more complex HTML content, consider using DOMPurify. This is a library specifically designed for sanitizing HTML and can help filter out potential XSS attacks:
//Import DOMPurify
import DOMPurify from 'dompurify';

// Use DOMPurify to clean the URL
let safeUrl = DOMPurify.sanitize(i);
n.setAttribute("href", safeUrl);
  1. Use the URL Object
    Use JavaScript's URL object to parse and validate URLs. This ensures that only valid URLs will be used:
function isValidUrl(url) {
    try {
        new URL(url);
        return true;
    } catch {
        return false;
    }
}
// Use it
if (isValidUrl(i)) {
    n.setAttribute("href", i);
} else {
    n.setAttribute("href", '#'); // Or another safe default value
}
  1. Implement Content Security Policy (CSP)
    Setting a CSP header can enhance the security of your website and help prevent XSS attacks. While this cannot completely replace sanitization of untrusted data, it can serve as an additional layer of defense. You can set CSP in the server's response headers:
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';

Summary
Always take security measures when handling untrusted input by using validation, sanitization, CSP, and other methods to reduce potential security risks. These steps can not only fix the current vulnerabilities but also improve the overall security of the application."

@jasonsaayman
Copy link
Member

thanks for the additional information. I will try to get a appropriate fix for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants