Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Unvalidated dynamic method call #888

Merged
merged 8 commits into from
Nov 17, 2024
Merged

fix: Unvalidated dynamic method call #888

merged 8 commits into from
Nov 17, 2024

Conversation

bitpredator
Copy link
Owner

Fixes #[issue_no]

All Submissions:

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Does your submission pass tests?

Please describe the changes this PR makes and why it should be merged:

Discord username (if different from GitHub):

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 17, 2024
View reviewed changes
server-data/resources/[esx]/fivem-appearance/web/dist/assets/index.3e1fdbaf.js

const ye = { post: Qg, onEvent: qg, emitEvent: Yg },
Kg = () => (window.addEventListener('message', e => {
!ta[e.data.type] || ta[e.data.type](e.data.payload);

Check failure

Code scanning / CodeQL

Unvalidated dynamic method call High

Invocation of method with
user-controlled
Loading
name may dispatch to unexpected target and cause an exception.

Copilot Autofix AI about 2 months ago

To fix the problem, we need to ensure that the method name derived from user input (e.data.type) is validated before it is used to access and invoke a method on the ta object. Specifically, we should:

  1. Check if e.data.type is a valid key in the ta object using hasOwnProperty.
  2. Verify that the value corresponding to e.data.type in the ta object is a function before invoking it.

This can be achieved by modifying the code on line 6110 to include these validation checks.

Suggested changeset 1
server-data/resources/[esx]/fivem-appearance/web/dist/assets/index.3e1fdbaf.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/server-data/resources/[esx]/fivem-appearance/web/dist/assets/index.3e1fdbaf.js b/server-data/resources/[esx]/fivem-appearance/web/dist/assets/index.3e1fdbaf.js
--- a/server-data/resources/[esx]/fivem-appearance/web/dist/assets/index.3e1fdbaf.js
+++ b/server-data/resources/[esx]/fivem-appearance/web/dist/assets/index.3e1fdbaf.js
@@ -6109,3 +6109,5 @@
 	Kg = () => (window.addEventListener('message', e => {
-		!ta[e.data.type] || ta[e.data.type](e.data.payload);
+		if (ta.hasOwnProperty(e.data.type) && typeof ta[e.data.type] === 'function') {
+			ta[e.data.type](e.data.payload);
+		}
 	}), null), Ff = {
EOF
@@ -6109,3 +6109,5 @@
Kg = () => (window.addEventListener('message', e => {
!ta[e.data.type] || ta[e.data.type](e.data.payload);
if (ta.hasOwnProperty(e.data.type) && typeof ta[e.data.type] === 'function') {
ta[e.data.type](e.data.payload);
}
}), null), Ff = {
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@bitpredator bitpredator merged commit 494b13f into main Nov 17, 2024
4 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bitpredator