Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Finds dynamic generation of URLs which don't use encoding API

SA-55632

Summary



On running the security analyzer, vulnerabilities occur for the PZMULTIDRAGDROPCONTROLSTANDARD control.


Error Messages



Not Applicable


Steps to Reproduce

  1. Save as PZMULTIDRAGDROPCONTROLSTANDARD control to the application ruleset.
  2. Run the security analyzer for the pyUnsafeURL pattern.


Root Cause



A defect in Pegasystems’ code or rules.

ActiveX related code is present in the PZMULTIDRAGDROPCONTROLSTANDARD control
var objXmlHttp = new ActiveXObject("Microsoft.XMLHTTP");



Resolution



Apply HFix-43183.

After deploying the hotfix, issues related to activities are observed in the Security Analyzer.

The issue reported for pyUnsafeURL is a false positive. The activity call in the control is not a security vulnerability. Hence, this can be ignored.

According to the documentation, a match to the Rule Analyzer Regular Expressions rule does not guarantee that the result constitutes a vulnerability in the code. The results must be reviewed to determine if any of the matches are false positives.

For more information, refer to the complete documentation: https://pdn.pega.com/sites/pdn.pega.com/files/help_v722/procomhelpmain.htm#security/rule%20security/sec-analyze-security-vulnerability-search-result-tsk.htm

 

 

Published September 12, 2018 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us