Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if (typeof body === 'string') { | ||
| // Remove any extra characters that appear before or after the SOAP envelope. | ||
| const regex = /(?:<\?[^?]*\?>[\s]*)?<([^:]*):Envelope([\S\s]*)<\/\1:Envelope>/i; | ||
| const match = body.replace(/<!--[\s\S]*?-->/, '').match(regex); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| if (typeof body === 'string') { | ||
| // Remove any extra characters that appear before or after the SOAP envelope. | ||
| const regex = /(?:<\?[^?]*\?>[\s]*)?<([^:]*):Envelope([\S\s]*)<\/\1:Envelope>/i; | ||
| const match = body.replace(/<!--[\s\S]*?-->/, '').match(regex); |
Check failure
Code scanning / CodeQL
Incomplete multi-character sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the problem, we need to ensure that all occurrences of HTML comments are removed from the body string. The best way to achieve this is to apply the regular expression replacement repeatedly until no more replacements can be performed. This ensures that all instances of the targeted pattern are removed.
We will modify the handleResponse method to repeatedly apply the regular expression replacement until the body string no longer changes. This approach guarantees that all HTML comments are removed, preventing any potential injection vulnerabilities.
| @@ -175,3 +175,8 @@ | ||
| const regex = /(?:<\?[^?]*\?>[\s]*)?<([^:]*):Envelope([\S\s]*)<\/\1:Envelope>/i; | ||
| const match = body.replace(/<!--[\s\S]*?-->/, '').match(regex); | ||
| let previous; | ||
| do { | ||
| previous = body; | ||
| body = body.replace(/<!--[\s\S]*?-->/g, ''); | ||
| } while (body !== previous); | ||
| const match = body.match(regex); | ||
| if (match) { |
| if (~ns.indexOf('http://www.w3.org/')) { | ||
| continue; | ||
| } | ||
| if (~ns.indexOf('http://xml.apache.org/')) { |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the problem, we need to replace the substring check with a more robust method that parses the URL and verifies the host explicitly. This involves using the url module to parse the URL and then checking the host against a whitelist of allowed hosts.
- Parse the URL using the
urlmodule to extract the host. - Check if the host is in a predefined list of allowed hosts.
- Replace the substring check with this new method.
| @@ -1346,3 +1346,5 @@ | ||
| } | ||
| if (~ns.indexOf('http://xml.apache.org/')) { | ||
| const parsedUrl = url.parse(ns); | ||
| const allowedHosts = ['xml.apache.org']; | ||
| if (allowedHosts.includes(parsedUrl.host)) { | ||
| continue; |
| before(function (done) { | ||
|
|
||
| server = http.createServer(function(request,response) { | ||
| response.end('404: Not Found: ' + request.url); |
Check failure
Code scanning / CodeQL
Reflected cross-site scripting High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the reflected cross-site scripting vulnerability, we need to sanitize the request.url before including it in the response. The best way to do this is by using a well-known library for escaping HTML, such as escape-html. This will ensure that any potentially malicious content in the URL is properly escaped and cannot be executed as a script in the user's browser.
We will:
- Import the
escape-htmllibrary. - Use the
escapefunction from theescape-htmllibrary to sanitize therequest.urlbefore including it in the response.
| @@ -1,8 +1,9 @@ | ||
| 'use strict'; | ||
|
|
||
| var assert = require('assert'); | ||
| var http = require('http'); | ||
| var soap = require('..'); | ||
| var server; | ||
| var url; | ||
| 'use strict'; | ||
|
|
||
| var assert = require('assert'); | ||
| var http = require('http'); | ||
| var escape = require('escape-html'); | ||
| var soap = require('..'); | ||
| var server; | ||
| var url; | ||
|
|
||
| @@ -77,5 +78,5 @@ | ||
|
|
||
| server = http.createServer(function(request,response) { | ||
| response.end('404: Not Found: ' + request.url); | ||
| }); | ||
| server = http.createServer(function(request,response) { | ||
| response.end('404: Not Found: ' + escape(request.url)); | ||
| }); | ||
|
|
| @@ -18,3 +18,4 @@ | ||
| "whatwg-mimetype": "4.0.0", | ||
| "xml-crypto": "^6.0.1" | ||
| "xml-crypto": "^6.0.1", | ||
| "escape-html": "^1.0.3" | ||
| }, |
| Package | Version | Security advisories |
| escape-html (npm) | 1.0.3 | None |
| before(function (done) { | ||
|
|
||
| server = http.createServer(function (request, response) { | ||
| response.end('404: Not Found: ' + request.url); |
Check failure
Code scanning / CodeQL
Reflected cross-site scripting High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the reflected cross-site scripting vulnerability, we need to sanitize the user input before incorporating it into the response. The best way to do this is by using a library that provides HTML escaping functionality. In this case, we can use the escape-html library to escape the request.url before including it in the response.
- Install the
escape-htmllibrary. - Import the
escape-htmllibrary in the file. - Use the
escapefunction from theescape-htmllibrary to sanitize therequest.urlbefore concatenating it into the response.
| @@ -7,2 +7,3 @@ | ||
| const { default: axios } = require('axios'); | ||
| var escape = require('escape-html'); | ||
| var server; | ||
| @@ -43,3 +44,3 @@ | ||
| server = http.createServer(function (request, response) { | ||
| response.end('404: Not Found: ' + request.url); | ||
| response.end('404: Not Found: ' + escape(request.url)); | ||
| }); |
| @@ -18,3 +18,4 @@ | ||
| "whatwg-mimetype": "4.0.0", | ||
| "xml-crypto": "^6.0.1" | ||
| "xml-crypto": "^6.0.1", | ||
| "escape-html": "^1.0.3" | ||
| }, |
| Package | Version | Security advisories |
| escape-html (npm) | 1.0.3 | None |
metodikamikaelnilsson
force-pushed
the
master
branch
from
611fca9 to
9c6ad01
Compare
1 participant
No description provided.