hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Make TaintedFormatString have same severity as LogInjection

Browse Source 
The CWE number for this query is associated with buffer overflows
from printf/scanf-style functions in C++, which has likely determined
its derived security score.

But in JavaScript, a tainted format string is unlikely to lead to
anything worse than log injection so we're manually update its score
to reflect this.
This commit is contained in:
Asger Feldthaus
2021-10-05 08:27:03 +02:00
parent 83ca4ef6d9
commit 682a71176d
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
View File

@@ -3,7 +3,7 @@
* @description Using external input in format strings can lead to garbled output.
* @kind path-problem
* @problem.severity warning
* @security-severity 9.3
* @security-severity 7.3
* @precision high
* @id js/tainted-format-string
* @tags security