javascript: Fix spelling error in documentation #20434
Conversation
Corrects the spelling of "occurrences" in the Incomplete Multi-Character Sanitization documentation to improve clarity.
|
QHelp previews: javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.qhelpIncomplete multi-character sanitizationSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input. Attackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities. RecommendationTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization. If a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text. ExampleConsider the following JavaScript code that aims to remove all HTML comment start and end tags: str.replace(/<!--|--!?>/g, ""); Given the input string "<!<!--- comment --->>", the output will be "<!-- comment -->", which still contains an HTML comment. One possible fix for this issue is to apply the regular expression replacement repeatedly until no more replacements can be performed. This ensures that the unsafe text does not re-appear in the sanitized input, effectively removing all instances of the targeted pattern: function removeHtmlComments(input) {
let previous;
do {
previous = input;
input = input.replace(/<!--|--!?>/g, "");
} while (input !== previous);
return input;
} ExampleAnother example is the following regular expression intended to remove script tags: str.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, ""); If the input string is "<scrip<script>is removed</script>t>alert(123)</script>", the output will be "<script>alert(123)</script>", which still contains a script tag. A fix for this issue is to rewrite the regular expression to match single characters ("<" and ">") instead of the entire unsafe text. This simplifies the sanitization process and ensures that all potentially unsafe characters are removed: function removeAllHtmlTags(input) {
return input.replace(/<|>/g, "");
}Another potential fix is to use the popular const sanitizeHtml = require("sanitize-html");
function removeAllHtmlTags(input) {
return sanitizeHtml(input);
}ExampleLastly, consider a path sanitizer using the regular expression str.replace(/\.\.\//g, ""); The regular expression attempts to strip out all occurrences of A possible fix for this issue is to use the "sanitize-filename" npm library for path sanitization. This library is specifically designed to handle path sanitization, and should handle all corner cases and ensure effective sanitization: const sanitize = require("sanitize-filename");
function sanitizePath(input) {
return sanitize(input);
} References
|
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a spelling error in the documentation for Incomplete Multi-Character Sanitization by correcting "occurences" to "occurrences" in the JavaScript security documentation.
Key Changes
- Corrected spelling of "occurrences" in security documentation
This change corrects the spelling of "occurrences" in the Incomplete Multi-Character Sanitization documentation. This fix aims to improve clarity and ensure that the documentation accurately reflects the intended terminology.