My company utilizes a static analysis tool to scan source code for security vulnerabilities. The tool is called Fortify and is maintained by HP: http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html
Recently, this tool began reporting a DOM XSS vulnerability in angular.js. The specific issue appears to be in the undocumented `$browser.url` service: https://github.com/angular/angular.js/blob/d8d30ce67666bb15d36ee7b9cf903fe94cad5942/src/ng/browser.js The source is identified as the store of `window.location` on this line: https://github.com/angular/angular.js/blob/d8d30ce67666bb15d36ee7b9cf903fe94cad5942/src/ng/browser.js#L124 The sink (where potentially tainted data causes an unvalidated redirect) is writing a raw String to `location.href` here: https://github.com/angular/angular.js/blob/d8d30ce67666bb15d36ee7b9cf903fe94cad5942/src/ng/browser.js#L156 I've found that wrapping this function call in `window.encodeURIComponent` seems to quiet the tool. I'm not a security expert, but here's some information on DOM XSS I've found: http://sec.omar.li/2012/05/overview-of-dom-xss.html http://open.bekk.no/owasp-top-10-for-javascript-a2-cross-site-scripting-xss http://stackoverflow.com/questions/1822598/getting-url-hash-location-and-using-it-in-jquery So, I have three questions: 1. Has anyone else encountered this? 2. Should this be considered an exploitable vulnerability? 3. Is this worth submitting a PR to the AngularJS source? This is of particular importance to me because my company halts the deployment of any applications that have vulnerabilities like this identified. -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
