-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive: Dangerous JS Functions #7732
Comments
Be aware the highlighting is first match. So what's being highlighted might not be what the rule triggered on. (We know this is a weakness and have an existing issue covering it.) |
I think the problem here is the modern practice of bundling. I'm not sure theres a good solution here. Right now I think the only realistic option is to treat these as False Positives on a case by case basis, ie by the user. Unless anyone else has any better suggestions? |
That seems like the most reasonable plan to me. https://www.zaproxy.org/docs/desktop/addons/alert-filters/ Also once we have ANTLR integrated we might have a better way to exclude JS comments from some passive rules. |
When scanning my application I saw this Dangerous JS Functions alert (id 10110) show up. After investigating I was able to pinpoint that it is being generated from a piece of code in an angular-generated file in the node_modules folder.
The scan believes we are using the bypassSecurityTrustHtml function and reports it as a 'Dangerous JS Function'. After further investigation, our application is not using this function but the scan is finding the function definition in the node_modules folder. I was able to find this function definition in this file node_modules/@angular/platform-browser/fesm2020/platform-browser.mjs
I tried removing this function definition and no longer using the @angular/platform-browser package. When I removed this the scan found another instance where it is finding the word 'eval' in the comment of this angular-generated file and reported it as a 'Dangerous JS Function'. This comment is stemming from this file node_modules/@angular/core/fesm2020/core.mjs
If I were to remove the comment in the angular file and then rerun the scan I would see the scan pick up another instance of a comment with the word 'eval' and report it as a 'Dangerous JS Function'. It seems that this might be a false positive and the scan is incorrectly reporting this vulnerability.
The text was updated successfully, but these errors were encountered: