javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading

profile photo of semgrepsemgrep
Author
180
Download Count*

$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.

Run Locally

Run in CI

Defintion

rules:
  - id: detect-angular-resource-loading
    message: $sceDelegateProvider allowlisting can introduce security issues if
      wildcards are used.
    metadata:
      references:
        - https://docs.angularjs.org/api/ng/service/$sce#trustAsJs
        - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
      category: security
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      technology:
        - angular
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - javascript
      - typescript
    severity: WARNING
    pattern-either:
      - pattern: |
          $sceDelegateProvider.resourceUrlWhitelist([...,'**',...]);
      - patterns:
          - pattern: |
              $sceDelegateProvider.resourceUrlWhitelist([...,$DOM,...]);
          - metavariable-regex:
              metavariable: $DOM
              regex: ^'.*\*\*.+'$

Examples

detect-angular-resource-loading.js

var app = angular.module('MyApp', []).config(function ($sceDelegateProvider) {
    // ruleid: detect-angular-resource-loading
    $sceDelegateProvider.resourceUrlWhitelist([ '**' ]);

    // ruleid: detect-angular-resource-loading
    $sceDelegateProvider.resourceUrlWhitelist(['http://semgrep.dev', '**']);

    // ruleid: detect-angular-resource-loading
    $sceDelegateProvider.resourceUrlWhitelist(['http://semgrep.dev', '**', 'http://semgrep.dev']);

    // ruleid: detect-angular-resource-loading
    $sceDelegateProvider.resourceUrlWhitelist(['http://**.semgrep.dev']);

    // ok: detect-angular-resource-loading
    $sceDelegateProvider.resourceUrlWhitelist(['http://semgrep.dev/ooo']);

    // ok: detect-angular-resource-loading
    $sceDelegateProvider.resourceUrlWhitelist(['http://semgrep.dev/**']);

    // ok: detect-angular-resource-loading
    $sceDelegateProvider.resourceUrlWhitelist(['http://semgrep.dev']);

});
 app.controller('myCtrl', function($scope) {

 $scope.userInput = 'foo';
     $scope.sayHello = function() {
      $scope.html = "Hello <b>" + $scope.userInput + "</b>!"

    };

 });