Fill sinks for tools where threat-model fires but sinks was empty#33
Merged
Fill sinks for tools where threat-model fires but sinks was empty#33
Conversation
AdonisJS gets 16 sinks covering its bundled Edge templates ({{{ triple
stash, safe() helper), Lucid ORM (rawQuery, whereRaw etc), redirect
helpers, file downloads, session fixation on auth.use().login, and mass
assignment without $fillable. Astro gets set:html and Astro.redirect
for SSR mode. Qwik and SolidJS get their innerHTML equivalents. Ember
gets the Handlebars triple-stash and htmlSafe. Eleventy gets the
unescaped forms from its supported template engines (Nunjucks |safe,
Handlebars {{{, EJS <%-). Gatsby gets dangerouslySetInnerHTML and
notes on createPage path traversal and GraphQL query injection.
Every tool carrying function:templating in its taxonomy now has at
least one sink.
Closes #30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Seven tools carried taxonomy that fired threat mappings but had no `[[security.sinks]]`, so `brief threat-model` said "this is dangerous" while `brief sinks` said nothing to grep for.
AdonisJS (16 sinks) is the biggest — it bundles Edge templates (`{{{}`` triple stash, `safe()` helper), Lucid ORM (`rawQuery`, `whereRaw` etc), redirect helpers, file downloads, session fixation on `auth.use().login`, and mass assignment without `$fillable`. Astro gets `set:html` and `Astro.redirect` for SSR mode. Qwik and SolidJS get their `innerHTML` equivalents. Ember gets the Handlebars triple-stash and `htmlSafe`. Eleventy gets the unescaped forms from its supported engines (Nunjucks `|safe`, Handlebars `{{{`, EJS `<%-`). Gatsby gets `dangerouslySetInnerHTML` and notes on `createPage` path traversal.
Every tool carrying `function:templating` in its taxonomy now has at least one sink.
Closes #30