Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

introduce eslint for DOM XSS linting #620

Merged
merged 2 commits into from
Oct 10, 2019
Merged

introduce eslint for DOM XSS linting #620

merged 2 commits into from
Oct 10, 2019

Conversation

mozfreddyb
Copy link
Contributor

@mozfreddyb mozfreddyb commented Oct 8, 2019
edited
Loading

For this to be immediately useful, one needs to:

  • fix existing violations (below) Remove use of innerHtml #621
  • in package.json, add "script" to run eslint on all relevant source files
  • integrate script into CI

Existing violations:

zap-hud/src/main/zapHomeFiles/hud/display.js
  1116:5  error  Unsafe assignment to innerHTML  no-unsanitized/property
zap-hud/src/main/zapHomeFiles/hud/libraries/alertify.js
  1:2257  error  Unsafe assignment to innerHTML  no-unsanitized/property
  1:2897  error  Unsafe assignment to innerHTML  no-unsanitized/property
zap-hud/src/main/zapHomeFiles/hud/target/inject.js
  454:3  error  Unsafe assignment to innerHTML  no-unsanitized/property

@thc202
Copy link
Member

thc202 commented Oct 8, 2019

Can't this be configured through xo?

@psiinon psiinon mentioned this pull request Oct 8, 2019
Open
3 tasks
@psiinon
Copy link
Member

psiinon commented Oct 8, 2019
edited
Loading

For info have just raised #621 re removing the use of innerHtml

@mozfreddyb
Copy link
Contributor Author

xo seems to use eslint underneath, so theoretically yes. I haven't ever used or looked at xo before though.

@thc202
Copy link
Member

thc202 commented Oct 8, 2019

OK, xo is already running by default (locally and CI) and (I think) it includes all relevant source files, so it would just need the plugin(s).

@mozfreddyb mozfreddyb changed the title [wip] introduce eslint for DOM XSS linting introduce eslint for DOM XSS linting Oct 9, 2019
@mozfreddyb
Copy link
Contributor Author

OK. Waiting for #621 then :-)

@psiinon
Copy link
Member

psiinon commented Oct 10, 2019

Can we whitelist the remaining 2 uses of innerHtml so that we can merge this PR?
If so we should add them to #608 so they dont get forgotten.
I think we should ignore everything under zap-hud/src/main/zapHomeFiles/hud/libraries/ as they are external libs.

@mozfreddyb
Copy link
Contributor Author

imho it'd be easier to add DOMPurify than to whitelist. Especially since those whitelists are often forgotten and might introduce vulnerabilities long-term (as we've seen with others whitelisting existing and secure uses of innerHTML)

@psiinon
Copy link
Member

psiinon commented Oct 10, 2019

Fine for display.js but I dont want to apply DOMPurify to the alertify.js library - no idea what impact that could have.

@mozfreddyb
Copy link
Contributor Author

it seems alertify.js is already opted out of the linter. probably because it's minified?

@psiinon
Copy link
Member

psiinon commented Oct 10, 2019

And because its an external lib :)

kingthorin
kingthorin approved these changes Oct 10, 2019
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mozfreddyb

@psiinon psiinon merged commit 7cccd13 into zaproxy:develop Oct 10, 2019
@njmulsqb njmulsqb mentioned this pull request May 7, 2022
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kingthorin kingthorin kingthorin approved these changes

@psiinon psiinon psiinon approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mozfreddyb @thc202 @psiinon @kingthorin