Fix code scanning alert no. 2: Incomplete string escaping or encoding #497
Conversation
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -1,5 +1,5 @@ | |||
| export default (name) => { | |||
| name = name.replace(/[[]/, '\\[').replace(/[\]]/, '\\]'); | |||
| name = name.replace(/\[/g, '\\[').replace(/\]/g, '\\]'); | |||
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 1 month ago
To fix the problem, we need to ensure that all special characters, including backslashes, are properly escaped in the input string. The best way to achieve this is by using a well-tested sanitization library, such as escape-string-regexp, which handles all necessary escaping. This approach ensures that the input string is correctly sanitized without introducing new vulnerabilities.
| @@ -1,3 +1,5 @@ | ||
| import escapeStringRegexp from 'escape-string-regexp'; | ||
|
|
||
| export default (name) => { | ||
| name = name.replace(/\[/g, '\\[').replace(/\]/g, '\\]'); | ||
| name = escapeStringRegexp(name); | ||
| const regex = new RegExp('[\\?&]' + name + '=([^&#]*)'); |
| @@ -15,3 +15,4 @@ | ||
| "vuetify": "^2.6.10", | ||
| "vuex": "^3.4.0" | ||
| "vuex": "^3.4.0", | ||
| "escape-string-regexp": "^5.0.0" | ||
| }, |
| Package | Version | Security advisories |
| escape-string-regexp (npm) | 5.0.0 | None |
| @@ -1,5 +1,5 @@ | |||
| export default (name) => { | |||
| name = name.replace(/[[]/, '\\[').replace(/[\]]/, '\\]'); | |||
| name = name.replace(/\[/g, '\\[').replace(/\]/g, '\\]'); | |||
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 1 month ago
To fix the problem, we need to ensure that all occurrences of the backslash character are properly escaped in the input string. This can be achieved by using a regular expression with the global flag (g) to replace all occurrences of the backslash character. Additionally, we should ensure that the existing replacements for square brackets are also using the global flag to replace all occurrences.
The best way to fix the problem without changing existing functionality is to update the name.replace method calls to include the global flag and add a replacement for backslashes. This will ensure that all occurrences of the specified characters are properly escaped.
| @@ -1,3 +1,3 @@ | ||
| export default (name) => { | ||
| name = name.replace(/\[/g, '\\[').replace(/\]/g, '\\]'); | ||
| name = name.replace(/\\/g, '\\\\').replace(/\[/g, '\\[').replace(/\]/g, '\\]'); | ||
| const regex = new RegExp('[\\?&]' + name + '=([^&#]*)'); |
Fixes https://github.com/open-contracting/spoonbill-web/security/code-scanning/2
To fix the problem, we need to ensure that all occurrences of the characters
[and]in thenamevariable are properly escaped. This can be achieved by using the global flag (g) in the regular expressions. This way, all instances of the characters will be replaced, not just the first one.We will modify the
replacemethod calls on line 2 to use regular expressions with the global flag.Suggested fixes powered by Copilot Autofix. Review carefully before merging.