Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File name matcher does not work if script type attribute is after script src attribute #81

Open
MasanoriOnuki opened this issue Jun 12, 2024 · 0 comments · May be fixed by #82
Open

File name matcher does not work if script type attribute is after script src attribute #81

MasanoriOnuki opened this issue Jun 12, 2024 · 0 comments · May be fixed by #82

Comments

@MasanoriOnuki
Copy link

The method ScannerFacade#findScriptUrl does not correctly extract only the src attribute value.

It seems this method is intended to extract the value between the first quote in the src attribute and the last quote in the src attribute.
However, the method actually extracts the value between the first quote in the src attribute and the last quote in the script tag.

For example, if the script tag is as below, ScannerFacade#findScriptURL returns /jquery-1.4.3,.min.js" type="text/javascript.

<script src="/jquery-1.4.3,.min.js" type="text/javascript"></script>

The file matcher works on the substring after the last slash of the extracted value, so in this case, it processes javascript.
Therefore, the library with vulnerabilities jquery-1.4.3.min.js is not detected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@MasanoriOnuki