Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CWE-117 fix #3549

Open
wants to merge 1 commit into
base: master
from
Open

CWE-117 fix #3549

wants to merge 1 commit into from

Conversation

@viananicolas
Copy link

@viananicolas viananicolas commented Sep 9, 2020

What's this PR do/fix?

This PR fixes the CWE-117 vulnerability as reported by @jackatsw

Any background context you want to provide?

https://stackoverflow.com/a/58623439/4634501

What are the relevant issues?

#3508

@StephanHCB
Copy link

@StephanHCB StephanHCB commented Sep 21, 2020

Just noticed that this touches the same lines of code I addressed in #3568, only this does not also address newline injections (log forgery attack), only html injections.

I must say, I like htmlEncoding better than my urlEncoding version, both for the simplicity in code and for readability in the logs, but in order to fully fix all issues including log injection you'd have to also escape newlines (\n, \r) in some manner.

Also have a look at the contract test coverage I added in my PR, completing coverage of the 2 controller classes. I think our PRs could be combined to form an even better solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.