/
detect-angular-element-methods.yaml
63 lines (63 loc) · 1.94 KB
/
detect-angular-element-methods.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
rules:
- id: detect-angular-element-methods
message: >-
Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within
`$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If
the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or
$sanitize.
metadata:
confidence: LOW
references:
- https://docs.angularjs.org/api/ng/function/angular.element
- https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
category: security
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
technology:
- angularjs
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
languages:
- javascript
- typescript
severity: INFO
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- patterns:
- pattern-inside: |
function(..., $SCOPE, ...) { ... }
- focus-metavariable: $SCOPE
- metavariable-regex:
metavariable: $SCOPE
regex: ^\$scope$
- pattern: $rootScope
- pattern: $injector.get('$rootScope')
- pattern: $injector.get('$scope')
pattern-sinks:
- patterns:
- pattern-either:
- pattern-inside: |
angular.element(...). ... .$SINK($QUERY)
- pattern-inside: |
$ANGULAR = angular.element(...)
...
$ANGULAR. ... .$SINK($QUERY)
- metavariable-regex:
metavariable: $SINK
regex: ^(after|append|html|prepend|replaceWith|wrap)$
- focus-metavariable: $QUERY
pattern-sanitizers:
- patterns:
- pattern-either:
- pattern: $sce.getTrustedHtml(...)
- pattern: $sanitize(...)
- pattern: DOMPurify.sanitize(...)