在Angular 13项目上运行CheckMarx时,未检查的循环条件输入
在Angular 13项目上运行CheckMarx时,报告结果“循环条件的未检查输入”中等问题。即使限制对象长度,问题也无法解决。 以下是代码:
deepCopy(obj) {
if (null === obj || "object" !== typeof obj)
{return obj};
if (obj instanceof Array) {
const copy = [];
const maxlength=50;
let len = obj.length;
if (len > maxlength) {
len = maxlength
}
for (let i = 0; i < len; i++) {
copy[i] = this.deepCopy(obj[i]);
}
return copy;
}
这里的对象将其传递给服务中从组件定义的此方法:
modelChanges(event, type, child) {
this.value = this._sharedService.deepCopy(this.value);
this.value[type][child] = event;
}
CheckMarx报告说:
method&lt; div class =“ jumbotron” style =“ margin-top:0.5rem;” [ngstyle] =“ styletab”&gt;在src/app/pop/popcreate/popc-define/popc-define.component.html的第1行中获取元素$ event的用户输入。这个元素的价值流动 通过代码未经验证,最终在deepcopy的环境中使用 src/app/shared/shared.service.ts。这构成了循环条件的未检查输入
任何与此相关的建议?
While running the checkmarx on angular 13 project the report results a 'Unchecked Input For loop Condition' medium issue. Even after limiting the object length the issue is not resolved.
Below is the piece of code:
deepCopy(obj) {
if (null === obj || "object" !== typeof obj)
{return obj};
if (obj instanceof Array) {
const copy = [];
const maxlength=50;
let len = obj.length;
if (len > maxlength) {
len = maxlength
}
for (let i = 0; i < len; i++) {
copy[i] = this.deepCopy(obj[i]);
}
return copy;
}
Here the object is passed to this method defined in the service from component as:
modelChanges(event, type, child) {
this.value = this._sharedService.deepCopy(this.value);
this.value[type][child] = event;
}
Checkmarx report says:
Method <div class="jumbotron " style="margin-top: 0.5rem; " [ngStyle]="styleTab"> at line 1 of src/app/pop/popcreate/popc-define/popc-define.component.html gets user input from element $event . This element’s value flows
through the code without being validated, and is eventually used in a loop condition in deepCopy at line 25 of
src/app/shared/shared.service.ts. This constitutes an Unchecked Input for Loop Condition
Any suggestions related to this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这个结果是假阳性。由于循环显然有限,因此这里没有脆弱性。您可能应该将结果标记为“不可剥削”并继续生活。
This result is a false positive. Since the loop is clearly limited, there's no vulnerability here. You should probably mark the result as "not exploitable" and get on with life.