Skip to content

style: normalize xml files (LF + trim) #12665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: dev
Choose a base branch
from
Draft

style: normalize xml files (LF + trim) #12665

wants to merge 1 commit into from

Conversation

astounds
Copy link

I've split the formatting changes into separate commits (or PRs) by file type for safer review:

  • ✅ Each change is still whitespace-only (git diff -w shows empty)
  • 📦 Grouped by MIME type all .xml together
  • 🔍 Easier to revert/review per category

This commit only touches 103 xml files

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security

This pull request contains multiple security vulnerabilities in AngularJS version 1.7.7, including End-of-Life software risks, Prototype Pollution, Regular Expression Denial of Service, and potential Information Disclosure through sensitive scan reports, though none of these findings are currently blocking the pull request.

End-of-Life Software Risk in unittests/scans/burp_dastardly/many_findings.xml
Vulnerability End-of-Life Software Risk
Description The XML report indicates that AngularJS version 1.7.7 is End-of-Life (EOL), which introduces significant security risks. EOL software no longer receives security updates, bug fixes, or support, making the application vulnerable to newly discovered exploits.

django-DefectDojo/unittests/scans/burp_dastardly/many_findings.xml

Lines 542 to 597 in 63f270b

-
XSS via JQLite DOM manipulation functions in AngularJS
https://github.com/advisories/GHSA-5cp4-xmrw-59wf (https://github.com/advisories/GHSA-5cp4-xmrw-59wf)
-
CVE-2020-7676 (https://nvd.nist.gov/vuln/detail/CVE-2020-7676): XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element.
-
CVE-2020-7676 (https://nvd.nist.gov/vuln/detail/CVE-2020-7676): angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one.
-
CVE-2019-10768 (https://nvd.nist.gov/vuln/detail/CVE-2019-10768): Prototype pollution
-
CVE-2023-26118 (https://nvd.nist.gov/vuln/detail/CVE-2023-26118): angular vulnerable to regular expression denial of service via the <input> element
-
End-of-Life: Long term support for AngularJS has been discontinued
https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a?gi=9d3103b5445c (https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a?gi=9d3103b5445c)
-
CVE-2022-25869 (https://nvd.nist.gov/vuln/detail/CVE-2022-25869): Angular (deprecated package) Cross-site Scripting
-
CVE-2022-25844 (https://nvd.nist.gov/vuln/detail/CVE-2022-25844): angular vulnerable to regular expression denial of service (ReDoS)
-
CVE-2023-26116 (https://nvd.nist.gov/vuln/detail/CVE-2023-26116): angular vulnerable to regular expression denial of service via the angular.copy() utility
-
CVE-2023-26117 (https://nvd.nist.gov/vuln/detail/CVE-2023-26117): angular vulnerable to regular expression denial of service via the $resource service

Prototype Pollution in unittests/scans/burp_dastardly/many_findings.xml
Vulnerability Prototype Pollution
Description The security scan report reveals a Prototype Pollution vulnerability (CVE-2019-10768) in AngularJS version 1.7.7. This can potentially lead to remote code execution or property injection depending on the application's context.

django-DefectDojo/unittests/scans/burp_dastardly/many_findings.xml

Lines 542 to 597 in 63f270b

-
XSS via JQLite DOM manipulation functions in AngularJS
https://github.com/advisories/GHSA-5cp4-xmrw-59wf (https://github.com/advisories/GHSA-5cp4-xmrw-59wf)
-
CVE-2020-7676 (https://nvd.nist.gov/vuln/detail/CVE-2020-7676): XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element.
-
CVE-2020-7676 (https://nvd.nist.gov/vuln/detail/CVE-2020-7676): angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one.
-
CVE-2019-10768 (https://nvd.nist.gov/vuln/detail/CVE-2019-10768): Prototype pollution
-
CVE-2023-26118 (https://nvd.nist.gov/vuln/detail/CVE-2023-26118): angular vulnerable to regular expression denial of service via the <input> element
-
End-of-Life: Long term support for AngularJS has been discontinued
https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a?gi=9d3103b5445c (https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a?gi=9d3103b5445c)
-
CVE-2022-25869 (https://nvd.nist.gov/vuln/detail/CVE-2022-25869): Angular (deprecated package) Cross-site Scripting
-
CVE-2022-25844 (https://nvd.nist.gov/vuln/detail/CVE-2022-25844): angular vulnerable to regular expression denial of service (ReDoS)
-
CVE-2023-26116 (https://nvd.nist.gov/vuln/detail/CVE-2023-26116): angular vulnerable to regular expression denial of service via the angular.copy() utility
-
CVE-2023-26117 (https://nvd.nist.gov/vuln/detail/CVE-2023-26117): angular vulnerable to regular expression denial of service via the $resource service

Regular Expression Denial of Service in unittests/scans/burp_dastardly/many_findings.xml
Vulnerability Regular Expression Denial of Service
Description Multiple ReDoS vulnerabilities (CVE-2023-26118, CVE-2022-25844, CVE-2023-26116, CVE-2023-26117) are identified in AngularJS version 1.7.7. These can lead to resource exhaustion and potential denial of service attacks through carefully crafted regular expressions.

django-DefectDojo/unittests/scans/burp_dastardly/many_findings.xml

Lines 542 to 597 in 63f270b

-
XSS via JQLite DOM manipulation functions in AngularJS
https://github.com/advisories/GHSA-5cp4-xmrw-59wf (https://github.com/advisories/GHSA-5cp4-xmrw-59wf)
-
CVE-2020-7676 (https://nvd.nist.gov/vuln/detail/CVE-2020-7676): XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element.
-
CVE-2020-7676 (https://nvd.nist.gov/vuln/detail/CVE-2020-7676): angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one.
-
CVE-2019-10768 (https://nvd.nist.gov/vuln/detail/CVE-2019-10768): Prototype pollution
-
CVE-2023-26118 (https://nvd.nist.gov/vuln/detail/CVE-2023-26118): angular vulnerable to regular expression denial of service via the <input> element
-
End-of-Life: Long term support for AngularJS has been discontinued
https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a?gi=9d3103b5445c (https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a?gi=9d3103b5445c)
-
CVE-2022-25869 (https://nvd.nist.gov/vuln/detail/CVE-2022-25869): Angular (deprecated package) Cross-site Scripting
-
CVE-2022-25844 (https://nvd.nist.gov/vuln/detail/CVE-2022-25844): angular vulnerable to regular expression denial of service (ReDoS)
-
CVE-2023-26116 (https://nvd.nist.gov/vuln/detail/CVE-2023-26116): angular vulnerable to regular expression denial of service via the angular.copy() utility
-
CVE-2023-26117 (https://nvd.nist.gov/vuln/detail/CVE-2023-26117): angular vulnerable to regular expression denial of service via the $resource service

Information Disclosure in tests/dedupe_scans/multiple_findings.xml
Vulnerability Information Disclosure
Description Multiple XML files in the repository contain detailed security scan reports with sensitive information such as internal file paths, code snippets, vulnerability details, and organizational metadata. If these files are accidentally exposed, they could provide attackers with valuable reconnaissance information about the application's structure and potential weaknesses.

django-DefectDojo/tests/dedupe_scans/multiple_findings.xml

Lines 1 to 272 in 63f270b

<?xml version="1.0" encoding="utf-8"?>
<CxXMLResults InitiatorName="Initiator Name" Owner="domain\user" ScanId="1000227" ProjectId="121" ProjectName="Webgoat" TeamFullPathOnReportDate="team\full\path" DeepLink="https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&amp;projectid=121" ScanStart="Sunday, February 25, 2018 11:35:52 AM" Preset="Checkmarx Default" ScanTime="00h:07m:13s" LinesOfCodeScanned="92054" FilesScanned="480" ReportCreationTime="Monday, April 22, 2019 3:12:18 PM" Team="team_name" CheckmarxVersion="8.6.0 HF1" ScanComments="" ScanType="Full" SourceOrigin="LocalPath" Visibility="Public">
<Query id="594" categories="PCI DSS v3.2;PCI DSS (3.2) - 6.5.1 - Injection flaws - particularly SQL injection,OWASP Top 10 2013;A1-Injection,FISMA 2014;System And Information Integrity,NIST SP 800-53;SI-10 Information Input Validation (P1),OWASP Top 10 2017;A1-Injection,OWASP Mobile Top 10 2016;M7-Client Code Quality" cweId="89" name="SQL_Injection" group="Java_High_Risk" Severity="High" Language="Java" LanguageHash="0125540914009541" LanguageChangeDate="2018-02-12T00:00:00.0000000" SeverityIndex="3" QueryPath="Java\Cx\Java High Risk\SQL Injection Version:1" QueryVersionCode="56142311">
<Result NodeId="10002270020" FileName="WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java" Status="New" Line="38" Column="52" FalsePositive="False" Severity="High" AssignToUser="" state="0" Remark="" DeepLink="https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&amp;projectid=121&amp;pathid=20" SeverityIndex="3">
<Path ResultId="1000227" PathId="20" SimilarityId="-1145061043">
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>38</Line>
<Column>52</Column>
<NodeId>1</NodeId>
<Name>username_login</Name>
<Type></Type>
<Length>14</Length>
<Snippet>
<Line>
<Number>38</Number>
<Code> public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>49</Line>
<Column>134</Column>
<NodeId>2</NodeId>
<Name>username_login</Name>
<Type></Type>
<Length>14</Length>
<Snippet>
<Line>
<Number>49</Number>
<Code> PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = '" + username_login + "' and password = '" + password_login + "'");</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>49</Line>
<Column>66</Column>
<NodeId>3</NodeId>
<Name>prepareStatement</Name>
<Type></Type>
<Length>1</Length>
<Snippet>
<Line>
<Number>49</Number>
<Code> PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = '" + username_login + "' and password = '" + password_login + "'");</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>49</Line>
<Column>27</Column>
<NodeId>4</NodeId>
<Name>statement</Name>
<Type></Type>
<Length>9</Length>
<Snippet>
<Line>
<Number>49</Number>
<Code> PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = '" + username_login + "' and password = '" + password_login + "'");</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>50</Line>
<Column>31</Column>
<NodeId>5</NodeId>
<Name>statement</Name>
<Type></Type>
<Length>9</Length>
<Snippet>
<Line>
<Number>50</Number>
<Code> ResultSet resultSet = statement.executeQuery();</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>50</Line>
<Column>53</Column>
<NodeId>6</NodeId>
<Name>executeQuery</Name>
<Type></Type>
<Length>1</Length>
<Snippet>
<Line>
<Number>50</Number>
<Code> ResultSet resultSet = statement.executeQuery();</Code>
</Line>
</Snippet>
</PathNode>
</Path>
</Result>
<Result NodeId="10002270021" FileName="WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java" Status="New" Line="38" Column="89" FalsePositive="False" Severity="High" AssignToUser="" state="0" Remark="" DeepLink="https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&amp;projectid=121&amp;pathid=21" SeverityIndex="3">
<Path ResultId="1000227" PathId="21" SimilarityId="-658085948">
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>38</Line>
<Column>89</Column>
<NodeId>1</NodeId>
<Name>password_login</Name>
<Type></Type>
<Length>14</Length>
<Snippet>
<Line>
<Number>38</Number>
<Code> public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>49</Line>
<Column>174</Column>
<NodeId>2</NodeId>
<Name>password_login</Name>
<Type></Type>
<Length>14</Length>
<Snippet>
<Line>
<Number>49</Number>
<Code> PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = '" + username_login + "' and password = '" + password_login + "'");</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>49</Line>
<Column>66</Column>
<NodeId>3</NodeId>
<Name>prepareStatement</Name>
<Type></Type>
<Length>1</Length>
<Snippet>
<Line>
<Number>49</Number>
<Code> PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = '" + username_login + "' and password = '" + password_login + "'");</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>49</Line>
<Column>27</Column>
<NodeId>4</NodeId>
<Name>statement</Name>
<Type></Type>
<Length>9</Length>
<Snippet>
<Line>
<Number>49</Number>
<Code> PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = '" + username_login + "' and password = '" + password_login + "'");</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>50</Line>
<Column>31</Column>
<NodeId>5</NodeId>
<Name>statement</Name>
<Type></Type>
<Length>9</Length>
<Snippet>
<Line>
<Number>50</Number>
<Code> ResultSet resultSet = statement.executeQuery();</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java</FileName>
<Line>50</Line>
<Column>53</Column>
<NodeId>6</NodeId>
<Name>executeQuery</Name>
<Type></Type>
<Length>1</Length>
<Snippet>
<Line>
<Number>50</Number>
<Code> ResultSet resultSet = statement.executeQuery();</Code>
</Line>
</Snippet>
</PathNode>
</Path>
</Result>
<Result NodeId="10002270022" FileName="WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java" Status="New" Line="43" Column="62" FalsePositive="False" Severity="High" AssignToUser="" state="0" Remark="" DeepLink="https://checkmarxserver.com/CxWebClient/ViewerMain.aspx?scanid=1000227&amp;projectid=121&amp;pathid=22" SeverityIndex="3">
<Path ResultId="1000227" PathId="22" SimilarityId="1359889495">
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java</FileName>
<Line>43</Line>
<Column>62</Column>
<NodeId>1</NodeId>
<Name>username_reg</Name>
<Type></Type>
<Length>12</Length>
<Snippet>
<Line>
<Number>43</Number>
<Code> public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java</FileName>
<Line>50</Line>
<Column>102</Column>
<NodeId>2</NodeId>
<Name>username_reg</Name>
<Type></Type>
<Length>12</Length>
<Snippet>
<Line>
<Number>50</Number>
<Code> String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'";</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java</FileName>
<Line>50</Line>
<Column>20</Column>
<NodeId>3</NodeId>
<Name>checkUserQuery</Name>
<Type></Type>
<Length>14</Length>
<Snippet>
<Line>
<Number>50</Number>
<Code> String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'";</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java</FileName>
<Line>52</Line>
<Column>58</Column>
<NodeId>4</NodeId>
<Name>checkUserQuery</Name>
<Type></Type>
<Length>14</Length>
<Snippet>
<Line>
<Number>52</Number>
<Code> ResultSet resultSet = statement.executeQuery(checkUserQuery);</Code>
</Line>
</Snippet>
</PathNode>
<PathNode>
<FileName>WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java</FileName>
<Line>52</Line>
<Column>57</Column>
<NodeId>5</NodeId>
<Name>executeQuery</Name>
<Type></Type>
<Length>1</Length>
<Snippet>
<Line>
<Number>52</Number>
<Code> ResultSet resultSet = statement.executeQuery(checkUserQuery);</Code>
</Line>
</Snippet>
</PathNode>
</Path>
</Result>
</Query>
</CxXMLResults>

All finding details can be found in the DryRun Security Dashboard.

@mtesauro mtesauro marked this pull request as draft June 22, 2025 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
integration_tests unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@astounds