Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix code scanning alert - Incomplete string escaping or encoding #5508

Closed
1 task
unlikelyzero opened this issue Jul 14, 2022 · 4 comments
Closed
1 task

Fix code scanning alert - Incomplete string escaping or encoding #5508

unlikelyzero opened this issue Jul 14, 2022 · 4 comments
Assignees
@alizenguyen
Labels
severity:blocker type:maintenance tests, chores, or project maintenance

Comments

@unlikelyzero
Copy link
Collaborator

Tracking issue for:
@akhenry
Copy link
Contributor

akhenry commented Jul 15, 2022

I believe that this has been incorrectly identified as a security risk. The string in question is not a user input, it's machine generated.

@unlikelyzero
Copy link
Collaborator Author

unlikelyzero commented Jul 18, 2022
edited

@alizenguyen can you verify if this appears in your CodeQL/LGTM research?

@akhenry
Copy link
Contributor

akhenry commented Aug 1, 2022
edited

I believe this is a false positive. We are not trying to do general character escaping here. What this code is doing is adding an escape character specifically to : characters in namespaces. This is because : has a special meaning in Open MCT keystrings, and delineates namespaces from keys. There is some corresponding code in parseKeyString that subsequently removes this escape character.

Moreover, the highlighted code is not a user input, and as such presents no security vulnerability.

@akhenry
Copy link
Contributor

akhenry commented Aug 1, 2022

Dismissed corresponding alert for reasons above.

@akhenry akhenry closed this as completed Aug 1, 2022
@shefalijoshi shefalijoshi added the type:maintenance tests, chores, or project maintenance label Aug 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alizenguyen alizenguyen

Labels
severity:blocker type:maintenance tests, chores, or project maintenance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@akhenry @shefalijoshi @unlikelyzero @alizenguyen