Skip to content

Update TP: JS - 48 #47

New issue
New issue
Open
Open
Update TP: JS - 48#47
Labels
ACK_WAITINGissue to be reviewed and confirmedUPDATE_TPissue is about updating a testability pattern
@compaluca

Description

@compaluca
compaluca
opened on Jun 16, 2023

Testability pattern

JS pattern 48. It has only one instance.

Problem statement

There is a single pattern instance and it is not having a vulnerability. The expectation in that json file should be fixed. However, other changes could be proposed.

Proposed changes

The obstacle code seems to focus on a variable comparison where one of the variable a is attacker-controlled and b is a constant. However, this variable is strictly constrained to the constant when the dangerous operation is applied:

if(a === b){
            //no vulnerability
            res.write(a);
        }

Multiple instances could then be created:

  • considering either == or ===
  • make the write targeting either the constrained attacker-controlled variable a or a different totally unconstrained attacker-controlled variable

Other

Metadata

Metadata

Assignees

No one assigned

    Labels

    ACK_WAITINGissue to be reviewed and confirmedUPDATE_TPissue is about updating a testability pattern

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions