Finds dynamic generation of URLs which don't use encoding API
On running the security analyzer, vulnerabilities occur for the PZMULTIDRAGDROPCONTROLSTANDARD control.
Steps to Reproduce
- Save as PZMULTIDRAGDROPCONTROLSTANDARD control to the application ruleset.
- Run the security analyzer for the pyUnsafeURL pattern.
A defect in Pegasystems’ code or rules.
ActiveX related code is present in the PZMULTIDRAGDROPCONTROLSTANDARD control
var objXmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
After deploying the hotfix, issues related to activities are observed in the Security Analyzer.
The issue reported for pyUnsafeURL is a false positive. The activity call in the control is not a security vulnerability. Hence, this can be ignored.
According to the documentation, a match to the Rule Analyzer Regular Expressions rule does not guarantee that the result constitutes a vulnerability in the code. The results must be reviewed to determine if any of the matches are false positives.
For more information, refer to the complete documentation: https://pdn.pega.com/sites/pdn.pega.com/files/help_v722/procomhelpmain.htm#security/rule%20security/sec-analyze-security-vulnerability-search-result-tsk.htm
0% found this useful