Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Fortify Scan finds a critical vulnerability
See original GitHub issueDescribe the bug A Fortify Scan finds a critical Cross-Site Scripting vulnerability in Axios here:
https://github.com/axios/axios/blob/master/lib/helpers/isURLSameOrigin.js#L30
urlParsingNode.setAttribute('href', href);
The method resolveURL() sends unvalidated data to a web browser, which can result in the browser executing malicious code.
This issue has been reported previously, but then it was closed as 0.19.0 was supposed to provide a fix.
We ran a Fortify scan on 0.19.0 and got the same error; the source code still contains the problematic line above and the issue remains.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:12 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Just a heads up from Snyk - thanks to @dominykas pulling us in here we’ve reviewed the vulnerability and determined it really is a false positive on Fortify’s account - and we are going to be removing the vulnerability from our DB. Apologies for the noise on our side, and please let us know if we can be of help talking to people at Fortify to get the issues cleared up if you all opt to not release any changes on account of this scan in the end.
As @benjifin says, we have released 0.19.2 to revert the overkill patch in 0.19.1.