Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upCWE-117 fix #3549
Open
CWE-117 fix #3549
+4
−2
Conversation
|
Just noticed that this touches the same lines of code I addressed in #3568, only this does not also address newline injections (log forgery attack), only html injections. I must say, I like htmlEncoding better than my urlEncoding version, both for the simplicity in code and for readability in the logs, but in order to fully fix all issues including log injection you'd have to also escape newlines (\n, \r) in some manner. Also have a look at the contract test coverage I added in my PR, completing coverage of the 2 controller classes. I think our PRs could be combined to form an even better solution. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
What's this PR do/fix?
This PR fixes the CWE-117 vulnerability as reported by @jackatsw
Any background context you want to provide?
https://stackoverflow.com/a/58623439/4634501
What are the relevant issues?
#3508