DP-43340 replace-feedback-api-backend #3208
Conversation
dstorozhuk
changed the title
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| timeout: 10000, | ||
| maximumAge: 300000, // 5 minutes cache | ||
| }, | ||
| ); |
There was a problem hiding this comment.
Restrict unnecessarily powerful browser features
File: mass-feedback-form.behaviors.js | Checkov ID: CKV3_SAST_78
How To Fix
// Only query for geolocation when a user action requires it
function getLocation() {
if ("geolocation" in navigator) {
navigator.geolocation.getCurrentPosition(position => {
// Use the position data
});
} else {
// Handle no geolocation scenario
}
}
// This function should only be triggered when the user explicitly requests a feature that needs geolocation
document.querySelector("#getLocationButton").addEventListener('click', getLocation);
Description
CWEs: CWE-250: Execution with Unnecessary Privileges, CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
OWASP: A01:2021-Broken Access Control
CWE-250: Execution with Unnecessary Privileges, CWE-359: Exposure of Private Personal Information to an Unauthorized ActorOWASP:
A01:2021-Broken Access ControlBrowser features like geolocation, camera, and microphone offer vast functionalities but come with inherent security and privacy implications. These features are accessible through JavaScript APIs and often require user permissions. While these permissions might be essential for certain applications, they can be misused or exploited by attackers if not properly managed.
When unnecessary access to these features is allowed, it can lead to situations where sensitive information is exposed or where the application operates with more privileges than required, leading to potential security vulnerabilities.
Vulnerable code example:
javascript
// Querying for geolocation permission
navigator.permissions.query({name: "geolocation"}).then(response => {
if (response.state == 'granted') {
// Access granted
} else {
// Access denied
}
});
There was a problem hiding this comment.
@dstorozhuk Is it your understanding as well that we already are only calling the geolocation on form submit, so this issue is already addressed?
dstorozhuk
force-pushed
the
feature/DP-43340-replace-feedback-api-backend
branch
from
09e598b to
b3051b8
Compare
tfleming-ma
left a comment
tfleming-ma
left a comment
There was a problem hiding this comment.
@dstorozhuk Overall looking good to me. I added some very minor comments and suggestions for a couple minor things. I also added a topic for discussion to the ticket.
| timeout: 10000, | ||
| maximumAge: 300000, // 5 minutes cache | ||
| }, | ||
| ); |
There was a problem hiding this comment.
@dstorozhuk Is it your understanding as well that we already are only calling the geolocation on form submit, so this issue is already addressed?
…support. Signed-off-by: Dmytro Storozhuk <dima@itech4web.com>
…nodes without organization Signed-off-by: Dmytro Storozhuk <dima@itech4web.com>
Signed-off-by: Dmytro Storozhuk <dima@itech4web.com>
Signed-off-by: Dmytro Storozhuk <dima@itech4web.com>
Signed-off-by: Dmytro Storozhuk <dima@itech4web.com>
dstorozhuk
force-pushed
the
feature/DP-43340-replace-feedback-api-backend
branch
from
e697cd8 to
707b6d4
Compare
…n feedback submission Signed-off-by: Dmytro Storozhuk <dima@itech4web.com>
…detection Signed-off-by: Dmytro Storozhuk <dima@itech4web.com>
Description:
Explain the technical implementation of the work done.
Jira: (Skip unless you are MA staff)
DP-****
To Test:
Peer Review Checklist