hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cb0ac61db603d130e11c586d623f160156cb5a27
codeql/javascript/ql/src/AngularJS/DisablingSce.ql
Erik Krogh Kristensen aa9261f1b1 convert the AngularJS model to use DataFlow nodes
2022-09-05 16:11:54 +02:00

23 lines
649 B
Plaintext
Raw Blame History

/**
* @name Disabling SCE
* @description Disabling strict contextual escaping (SCE) can cause security vulnerabilities.
* @kind problem
* @problem.severity warning
* @security-severity 7.8
* @precision very-high
* @id js/angular/disabling-sce
* @tags security
* maintainability
* frameworks/angularjs
* external/cwe/cwe-116
*/
import javascript
from DataFlow::MethodCallNode mce, AngularJS::BuiltinServiceReference service
where
service.getName() = "$sceProvider" and
mce = service.getAMethodCall("enabled") and
mce.getArgument(0).mayHaveBooleanValue(false)
select mce, "Disabling SCE is strongly discouraged."
Reference in New Issue View Git Blame Copy Permalink