【问题标题】:Dojo.js has unvalidated dataDojo.js 有未经验证的数据
【发布时间】:2015-01-07 16:51:03
【问题描述】:

我正在使用供应商创建的电子学习课程(我们不再与之打交道),当我通过公司的安全软件 (HP Fortify Scan) 上传文件时,我遇到了多个错误。我已经纠正了所有错误,期望一个。错误在 dojo.js 文件中,它与未验证的 url 变量有关。我敢肯定这是一个简单的修复,但有人可以解释是什么让这个未经验证?我如何验证这个url 变量?

这是带有代码的错误消息的屏幕截图(我将行号放在注释中):

代码:

function xhr(url, options, returnDeferred){
    var response = util.parseArgs(
        url,
        util.deepCreate(defaultOptions, options),
        has('native-formdata') && options && options.data && options.data instanceof FormData
    );
    // THIS IS LINE 11540
    url = response.url; 
    options = response.options;

    var remover,
        last = function(){
            remover && remover();
        };

    //Make the Deferred object for this xhr request.
    var dfd = util.deferred(
        response,
        cancel,
        isValid,
        isReady,
        handleResponse,
        last
    );
    var _xhr = response.xhr = xhr._create();

    if(!_xhr){
        // If XHR factory somehow returns nothings,
        // cancel the deferred.
        dfd.cancel(new RequestError('XHR was not created'));
        return returnDeferred ? dfd : dfd.promise;
    }

    response.getHeader = function(headerName){
        return this.xhr.getResponseHeader(headerName);
    };

    if(addListeners){
        remover = addListeners(_xhr, dfd, response);
    }

    var data = options.data,
        async = !options.sync,
        method = options.method;

    try{
        // IE6 won't let you call apply() on the native function.
        // THIS IS LINE 11580
        _xhr.open(method, url, async, options.user || undefined, options.password || undefined);

        if(options.withCredentials){
            _xhr.withCredentials = options.withCredentials;
        }

        var headers = options.headers,
            contentType;
        if(headers){
            for(var hdr in headers){
                if(hdr.toLowerCase() === 'content-type'){
                    contentType = headers[hdr];
                }else if(headers[hdr]){
                    //Only add header if it has a value. This allows for instance, skipping
                    //insertion of X-Requested-With by specifying empty value.
                    _xhr.setRequestHeader(hdr, headers[hdr]);
                }
            }
        }

        if(contentType && contentType !== false){
            _xhr.setRequestHeader('Content-Type', contentType);
        }
        if(!headers || !('X-Requested-With' in headers)){
            _xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
        }

        if(util.notify){
            util.notify.emit('send', response, dfd.promise.cancel);
        }
        _xhr.send(data);
    }catch(e){
        dfd.reject(e);
    }

    watch(dfd);
    _xhr = null;

    return returnDeferred ? dfd : dfd.promise;
}

提前致谢,

迈克

【问题讨论】:

    标签: javascript security dojo fortify phishing


    【解决方案1】:

    我想说这不一定是错误,只是 HP Fortify Scan 指出了 dojo/request/xhr.js 中的一段代码,可能需要您注意,以防您的服务器代码未准备好对于此类攻击...您可以在调用 xhr() 的应用程序(可能在您的商店中)的更高级别代码中验证 url,但不确定这是否会满足 HP Fortify。

    【讨论】:

      猜你喜欢
      • 2013-06-10
      • 1970-01-01
      • 1970-01-01
      • 2018-06-16
      • 1970-01-01
      • 1970-01-01
      • 2011-05-15
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多