Support Article
Finds dynamic generation of URLs which don't use encoding API
Summary
On running the security analyzer, vulnerabilities occur for the PZMULTIDRAGDROPCONTROLSTANDARD control.
Error Messages
Not Applicable
Steps to Reproduce
- Save as PZMULTIDRAGDROPCONTROLSTANDARD control to the application ruleset.
- Run the security analyzer for the pyUnsafeURL pattern.
Root Cause
A defect in Pegasystems’ code or rules.
ActiveX related code is present in the PZMULTIDRAGDROPCONTROLSTANDARD control
var objXmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
Resolution
Apply HFix-43183.
After deploying the hotfix, issues related to activities are observed in the Security Analyzer.
The issue reported for pyUnsafeURL is a false positive. The activity call in the control is not a security vulnerability. Hence, this can be ignored.
According to the documentation, a match to the Rule Analyzer Regular Expressions rule does not guarantee that the result constitutes a vulnerability in the code. The results must be reviewed to determine if any of the matches are false positives.
For more information, refer to the complete documentation: https://pdn.pega.com/sites/pdn.pega.com/files/help_v722/procomhelpmain.htm#security/rule%20security/sec-analyze-security-vulnerability-search-result-tsk.htm
Published September 12, 2018 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.