sanitize

vulnerability improper sanitization on npm sanitize module
severity 7.6
language javascript
registry npm

I noticed that sanitization is not properly working at a point in this module when I used this package for input sanitization for a string in a API. When sanitizing a string, It must remove the harmful characters but this module fails to do it. It only gives the warning in the log, but does not removes these characters.

Steps to Reproduce:

  1. Added the attachment for easy steps (Drive link)
  2. Unzip and open the terminal
  3. Run the command npm start
  4. Open this URL http://localhost:3001/ping?param=hi'"><script>alert(1)</script>

Drive link: https://drive.google.com/drive/folders/1rq7ztN4kQUtcJWx8iTiRpHI8nKSvD90a?usp=sharing

Vulnerable Functions: req.queryString(queryParam: String): String req.bodyString(bodyParam: String): String req.headerString(headerName: String): String req.paramString(paramName: String): String

Impact: Sanitization is not done properly here, may lead to lot of problems in future due to usage. Ex. This may lead to Code execution, XSS, and many more due to improper sanitization.

References