hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Address doc review comments.

Browse Source
This commit is contained in:
Max Schaefer
2018-11-29 09:49:13 +00:00
parent 45574d4eaa
commit 506236994f
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.qhelp
View File

@@ -6,7 +6,7 @@
<overview>
<p>
JavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods
can be looked up by name and then called. However, if he method name is user controlled, an attacker
can be looked up by name and then called. However, if the method name is user-controlled, an attacker
could choose a name that makes the application invoke an unexpected method, which may cause a runtime
exception. If this exception is not handled, it could be used to mount a denial-of-service attack.
</p>
@@ -33,7 +33,7 @@ If the dynamic method lookup cannot be avoided, consider whitelisting permitted
the very least, check that the method is an own property and not inherited from the prototype object.
If the object on which the method is looked up contains properties that are not methods, you
should additionally check that the result of the lookup is a function. Even if the object only
contains methods it is still a good idea to perform this check in case other properties are
contains methods, it is still a good idea to perform this check in case other properties are
added to the object later on.
</p>
</recommendation>