SAST : CrossSiteScripting

Question

SAST : CrossSiteScripting

JyothiBacham opened this issue 3 years ago · comments

JyothiBacham commented 3 years ago

JyothiBacham · Answer 1 · Fri Jun 04 2021 21:46:59 GMT+0800 (China Standard Time)

JyothiBacham commented 3 years ago

IBMeric · Answer 2 · Tue Jun 08 2021 05:39:39 GMT+0800 (China Standard Time)

Thank you for your report. Could you provide more explanation? You cited the description of CVE-2021-31684, a library the SDK does not depend on, and posted screenshots of a call tree for a separate item.

JyothiBacham · Answer 3 · Thu Jun 10 2021 08:47:32 GMT+0800 (China Standard Time)

Hi @IBMeric .. sorry please ignore the description provided previously.. I have deleted that. There is a risk of CrossSiteScripting at line 132 of AWSsigner is what our AppScan report says. Attaching more details on the risk and recommendations here.

JyothiBacham · Answer 4 · Thu Jun 10 2021 08:48:24 GMT+0800 (China Standard Time)

JyothiBacham commented 3 years ago

JyothiBacham · Answer 5 · Mon Jun 14 2021 13:18:31 GMT+0800 (China Standard Time)

Hi.. any update on this please

IBMeric · Answer 6 · Tue Jun 15 2021 01:30:12 GMT+0800 (China Standard Time)

This issue is present in upstream and is for v3 signatures that COS does not support. Clients should use IAM tokens or v4 signatures.