Deserialization of untrusted object High

Deserialization of untrusted or potentially malformed data can be exploited for denial of service or to induce running untrusted code.

Detector ID
typescript/untrusted-deserialization@v1.0
Category

Noncompliant example

1function untrustedDeserializationNoncompliant() {
2  var script = document.createElement("script");
3  script.src = "https://example.com/script.js";
4  // Noncompliant: integrity is not checked.
5  document.head.appendChild(script);
6}

Compliant example

1function untrustedDeserializationCompliant() {
2  var script = document.createElement("script");
3  script.src = "https://example.com/script.js";
4  // Compliant: integrity is checked.
5  script.integrity =
6    "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC";
7  document.head.appendChild(script);
8}