-
Notifications
You must be signed in to change notification settings - Fork 350
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic/configurable no-metadata state_call interfaces #4987
Conversation
Semgrep found 5 Detected an explicit unescape in a Mustache template, using triple braces '{{{...}}}' or ampersand '&'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location. ⚪️ This finding does not block your pull request.🙈 From javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape. |
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Will have to see if this actually makes it in - the issue is that 95% of this is throw-away (or needs to be completely moved), so unsure if the maintenance pain on this is actually worth it while there is 0 info from the metadata. (Stuff that goes in has a very long lifetime as we don't want to end up with the current "do everything manually" mess we have elsewhere)
Closes #4930
Tested with -
Obviously a bit funny since the augmentation (manually applied) is being generated for all the functions above, however it doesn't get auto-applied to the API config since we really don't want, at this point, to maintain more manual interfaces. At the same point, generation needs to be tested, so some raw definitions which are not applied, do exist. (Only for the functions detailed above)
... if these are contributed and stable, we could change the above an include at least some by default.