我在 Gitlab 报告中遇到以下安全漏洞问题:
我掌握的信息:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')描述:
A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system.代码:
const sanitizedPath = decodeURIComponent(IMPORTED_DOCUMENTATION_URL);
window.open(sanitizedPath, "_blank", "noopener");
规则:eslint.detect-non-literal-fs-filename
标识符:CWE-22 https://cwe.mitre.org/data/definitions/22.html
如何避免此漏洞?
作为临时修复:
我直接将 URL 字符串作为第一个参数添加到 window.open 函数,而不是从另一个文件导入。
window.open("URL to open on new tab", "_blank", "noopener");