Page MenuHomePhabricator

Fix static analysis findings on push-notifications
Closed, ResolvedPublic


From security review:

Static Analysis Findings

  • njsscan found an unvalidated regular expression on line 32 within test/utils/assert.js. This isn't much of a concern, given that 1) these are tests 2) the way it's used within features/app/spec.ts and features/info/info.ts is fine, it might be a good idea to sanitize expectedRegexString based upon expected values within the context of these tests, if possible (though regular expression sanitization can be difficult or even impossible at times). Risk: low.

Event Timeline

Change 627499 had a related patch set uploaded (by Jgiannelos; owner: Jgiannelos):
[mediawiki/services/push-notifications@master] Sanitize expectedRegexString input

Change 627499 merged by jenkins-bot:
[mediawiki/services/push-notifications@master] Sanitize expectedRegexString input

Any other updates needed based on the static analysis, or can this be resolved?