Fix incomplete-sanitization findings with regex #739
Comments
dlpzx
added
type: enhancement
dlpzx
added a commit
that referenced
this issue
Sep 13, 2023
… merge package (#751) ### Feature or Bugfix - Feature - Bugfix ### Detail - add npm-audit github workflow on PR - add semgrep worflow on PR and on schedule - ignore semgrep issues with explanation. Those to be fixed will be fixed in #739 and #738 - remove make security checks that uses safety library and rename it as linting - upgrade all pacakges, add package-lock and pin merge to version 2.1.1 ### Relates ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
dlpzx
added a commit
that referenced
this issue
Sep 19, 2023
…te-sanitization (#762) ### Feature or Bugfix - Refactoring ### Detail Use `replaceAll` instead of `replace` command in parsing the custom SAML groups. This way all appearances of `[` and `]` are replaced. I did not want to modify the command more as it is touching the integration with other IdPs. ### Relates - #739 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? ---> ⭐ exactly this is what this PR is trying to improve. - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
anmolsgandhi
removed
the
status: not-picked-yet
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your idea related to a problem? Please describe.
From several scanning tools we are receiving the following error. Description:
session.getIdToken().payload['custom:saml.groups'].replacemethod will only replace the first occurrence when used with a string argument ('['). If this method is used for escaping of dangerous data then there is a possibility for abypass.Try to use sanitization library instead or use a Regex with a global flag. Details: https://sg.run/1GbQ
Which happens in
frontend/src/services/hooks/useGroups.jsDescribe the solution you'd like
We have verified that there is no risk in this security finding, as the string replacement does not filter any user input (potential malicious input). In any case, we can fix it by using a regex, so it is better to have it fixed than to ignore it
P.S. Don't attach files. Please, prefer add code snippets directly in the message body.
The text was updated successfully, but these errors were encountered: