解析 boolean 查询参数 (REST) 时出现代码分析警告
[英]Code analysis warning while parsing boolean query param (REST)
问题描述
export function isLegacyResource(): boolean {
const queryParams = new URLSearchParams(window.location.search);
return isQspValueTruthy(queryParams.get('isLegacy'));
}
export function isQspValueTruthy(value: string | null): boolean {
if (value === null) {
return false;
}
return value === '1' || value.toLowerCase() === 'true';
}
const isLegacy = isLegacyResource();
Semmle raises this warning [SM01513] User-controlled bypass of security check . 
Semmle 发出此警告[SM01513] User-controlled bypass of security check 。
This says that I might be comparing the user-input using user controlled data.这表示我可能正在使用用户控制的数据来比较用户输入。 I feel the query param reading using window.location.search is checked for truthy-ness and this is not contradicting to any security flaw.我觉得使用window.location.search读取的查询参数被检查是否真实,这与任何安全漏洞都不矛盾。
Can someone please point out the issue and how I can mitigate this?有人可以指出这个问题以及我如何减轻这个问题吗?
1 个解决方案
解决方案1
1 2022-12-05 10:09:07
Semmle suspects, that this issue is related to some client-side control responsible for security validation. Semmle 怀疑,这个问题与一些负责安全验证的客户端控件有关。 Having security validation on the client side would be a serious issue if present, but I don't think this is true in your case, as this logic does not smell to be security relevant at all.如果存在,在客户端进行安全验证将是一个严重的问题,但我认为您的情况并非如此,因为这种逻辑闻起来根本与安全无关。 Static analysis tools do generate a bit of noise and semmle is no exception. Static 分析工具确实会产生一些噪音,semmle 也不例外。 Usual workaround is to find find out how to suppress semmle reporting this piece of code via some code annotations to prevent this false positive in the future.通常的解决方法是找出如何通过一些代码注释来抑制 semmle 报告这段代码,以防止将来出现这种误报。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.