-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CodeQL: Incomplete string escaping or encoding @ lib/readfiles.js:13 #8
Comments
Hmm odd ok I'll take a look |
Hi @guatedude2 |
Hey so sorry I did not let me try looking into it tonight |
@IamGreut Refactored library to TypeScript can you try now |
Let me know if this worked. If it doesn't i'll reopen this issue |
Hi @guatedude2, thanks for refactoring the library. We compared function |
@guatedude2 just to clarify - we are more interested in whether or not the 2 alerts brought up by CodeQL (this one and issue #9) are valid based on the intentions of the code. To @ThibaudLopez's point, since we did not detect any change in the actual Thank you so much for your attention and work you've done already. |
I see. I think this might be CodeQL miss-interpreting my actions. I've updated the regex to escape backslashes. It seems there would be issues with not escaping them. Let me know if that addresses the issue with CodeQL. |
Hi @guatedude2, following #7 and #9, CodeQL reported another finding (see screenshot below):
Incomplete string escaping or encoding
.lib/readfiles.js:13
Sanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.
CodeQL
js/incomplete-sanitization
You probably see the same on your CodeQL dashboard.
Is this a true positive or false positive?
Thanks
The text was updated successfully, but these errors were encountered: