javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method
semgrepAuthor
408
Download Count*
License
The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.
Run Locally
Run in CI
Defintion
rules:
- id: detect-angular-trust-as-method
message: The use of $sce.trustAs can be dangerous if unsanitized user input
flows through this API.
metadata:
references:
- https://docs.angularjs.org/api/ng/service/$sce
- https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
category: security
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
technology:
- angular
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- pattern-inside: |
app.controller(..., function($scope,$sce) {
...
});
- pattern: $scope.$X
pattern-sinks:
- pattern: $sce.trustAs(...)
- pattern: $sce.trustAsHtml(...)
Examples
detect-angular-trust-as-method.js
var app = angular.module('MyApp', []);
app.controller('myCtrl', function($scope, $sce) {
$scope.userInput = 'foo';
$scope.sayHello = function() {
value = $scope.html
// ruleid:detect-angular-trust-as-method
$sce.trustAs($sce.HTML, value);
// ruleid:detect-angular-trust-as-method
$sce.trustAs($sce.CSS, value);
// ruleid:detect-angular-trust-as-method
$sce.trustAs($sce.JS, value);
// ruleid:detect-angular-trust-as-method
$sce.trustAs($sce.RESOURCE_URL, value);
// ruleid:detect-angular-trust-as-method
$sce.trustAs($sce.URL, value);
//Data is not coming from user input
$scope.trustedurl = $sce.trustAs('stringLiteral');
};
});
Short Link: https://sg.run/OPW2