DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Detected insecure whitelisting of URLs in AngularJS JS-S1023

Security
Critical
 a04 owasp top 10 angularjs cwe-183 cwe-625

Overly permissive patterns for whitelisted URLs can introduce security vulnerabilities.

The trustedResourceUrlList or resourceUrlWhitelist(deprecated) in $sceDelegateProvider allows you to whitelist URLs that are considered safe for sourcing templates, or running scripts within your AngularJS application.

The trustedResourceUrlList or resourceUrlWhitelist can have URLs as patterns using wildcard sequences like '' and ''. '' matches zero or more occurrences of any character other than one of the following 6 characters: ':', '/', '.', '?', '&' and ';'. '' matches zero or more occurrences of any character.

Using wildcard sequences in the URL protocol (scheme), domain, etc can make it match more variations of the URL than intended.

Bad Practice

angular.module('myApp', []).config(function($sceDelegateProvider) {
  $sceDelegateProvider.trustedResourceUrlList([
    '**://home.example.com', // will also allow `javascript://home.example.com`
    'https://**.example.com', // will also allow `https://evil.example.com`
    'https://home.**.com', // will also allow `https://home.evil.com`
  ]);
});

Recommended

angular.module('myApp', []).config(function($sceDelegateProvider) {
  $sceDelegateProvider.trustedResourceUrlList(['https://home.example.com']);
});

References