False Positive in 829.1 on link tags
Problem
DAST CWE Check 829.1 does not restrict to rel=stylesheet
or rel=preload as=style
or rel=preload as=script
when assessing SRI attributes for <link>
tags. This causes FPs when non-stylesheet link
tags are used:
example output of an FP:
"summary": "<link rel=\"alternate\" type=\"application/rss+xml\" title=\"RSS 2.0\" href=\"http://sindikasi.okezone.com/index.php/rss/0/RSS2.0\">"
Solution
(matcher *UntrustedScriptLinkTagsIncludedMatcher) Secure(tag *browserk.Tag, requestURL *url.URL) bool
should ensure that if the tag is link, the rel value equals stylesheet:
func (matcher *UntrustedScriptLinkTagsIncludedMatcher) Secure(tag *browserk.Tag, requestURL *url.URL) bool {
if !tag.HasAttribute(tag.URLKey()) {
return true
}
urlValue := tag.GetAttributeValue(tag.URLKey())
if !strings.HasPrefix((urlValue), "http") {
return true
}
if strings.Contains(urlValue, requestURL.Host) {
return true
}
if tag.Name == "link" {
if !strings.EqualFold(tag.GetAttributeValue("rel"), "stylesheet") {
return true
}
if strings.EqualFold(tag.GetAttributeValue("rel"), "preload") {
if (!strings.EqualFold(tag.GetAttributeValue("as"), "script") || !strings.EqualFold(tag.GetAttributeValue("as"), "style")) {
return true
}
}
if tag.GetAttributeValue("integrity") != "" {
return true
}
return false
}
Edited by Isaac Dawson