Skip to content

Commit

Permalink
url-constructor-base.yaml: add assignees
Browse files Browse the repository at this point in the history
  • Loading branch information
thypon authored Jul 21, 2023
1 parent 15dd28c commit 84cfd95
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion assets/semgrep_rules/web/url-constructor-base.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ rules:
references:
- https://developer.mozilla.org/en-US/docs/Web/API/URL/URL#parameters
source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/web/url-constructor-base.yaml
assignees: |
bcaller
thypon
message: Are you using the `URL(url, base)` constructor as a security control
to limit the origin with base `$BASE`?
The base is ignored whenever url looks like an
Expand All @@ -24,4 +27,4 @@ rules:
- pattern-not-inside: |
$VAR = new URL($A, $BASE)
...
<... $VAR.origin ...>
<... $VAR.origin ...>

0 comments on commit 84cfd95

Please sign in to comment.