From 84cfd95771a35ec00b9d09bfa3f8669ba46b71ff Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Fri, 21 Jul 2023 15:38:09 +0200 Subject: [PATCH] url-constructor-base.yaml: add assignees --- assets/semgrep_rules/web/url-constructor-base.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/assets/semgrep_rules/web/url-constructor-base.yaml b/assets/semgrep_rules/web/url-constructor-base.yaml index d0a002a7..805ba068 100644 --- a/assets/semgrep_rules/web/url-constructor-base.yaml +++ b/assets/semgrep_rules/web/url-constructor-base.yaml @@ -6,6 +6,9 @@ rules: references: - https://developer.mozilla.org/en-US/docs/Web/API/URL/URL#parameters source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/web/url-constructor-base.yaml + assignees: | + bcaller + thypon message: Are you using the `URL(url, base)` constructor as a security control to limit the origin with base `$BASE`? The base is ignored whenever url looks like an @@ -24,4 +27,4 @@ rules: - pattern-not-inside: | $VAR = new URL($A, $BASE) ... - <... $VAR.origin ...> \ No newline at end of file + <... $VAR.origin ...>