New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JS: Dynamic import as code injection sink #14293
base: main
Are you sure you want to change the base?
JS: Dynamic import as code injection sink #14293
Conversation
|
Hi, I wanted to add two sinks, one of the sinks should have a |
|
@amammad Not sure flow labels are needed for this use case. Can you try removing them and checking if the taint flows through the string concatenations and URL construction (keeping the existing flow step)? |
|
@pwntester I'm using labels because dynamic import doesn't need a URL construction but worker needs. |
|
Does the Worker constructor accept either a String or an URL and only the later is vulnerable? If thats the case, you need the Flow labels and affixing a label on the URL constructor that you can later check at the sink. Note that you can ignore that check for the imports sink but enforce it for the Worker one. |
|
@pwntester |
|
@amammad Ok, in that case you need to use flow labels as you were doing. Sorry for the confusion. You can start use the regular |
Dynamic import in nodejs support URLs starts with
data:which is dangerous.There is another nodejs API that accepts the data: URL which is:
but it needs to be a URL Type as input, not any string value that starts with
data:, I'm not sure what is the best way to implement it.