Ajin Abraham

@AntSworD Media always bullshits!

@matt- @luin serialize-to-js has added a similar fix with esprima: https://github.com/commenthol/serialize-to-js/commit/1cd433960e5b9db4c0b537afb28366198a319429#diff-e7dae32b4b6750909b222cf0d70f6575 https://github.com/commenthol/serialize-to-js/blob/master/lib/internal/sanitize.js

I haven't checked that code. But yes, this blacklist: https://github.com/commenthol/serialize-to-js/blob/1cd433960e5b9db4c0b537afb28366198a319429/lib/internal/sanitize.js#L6 is definitely not going to solve the issue.

I think this is something we can fix here https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/29068545f3e8617db17b735331d3db1c91dbda4d/mobsf/StaticAnalyzer/views/android/converter.py#L36 @superpoussin22

Thanks for the report. I will take a look at this and revert.

Thanks for the excellent research @rustaska. I will review and get this PR merged soon.

@matandobr Addressed some of the review comments. > This happened after I deleted a suppression by rule ID Can you reproduce this reliably/ share steps to reproduce? I cannot reproduce...

This is applicable if user input anywhere from HTTP request reaches the `hash()` function. I did a quick check by setting up a sample app and tried to control the...

This started to occur for some users after we updated [njsscan](https://github.com/ajinabraham/libsast/pull/20/files) to use semgrep 0.104 https://github.com/ajinabraham/njsscan/issues/95

Seems related https://github.com/ajinabraham/njsscan/issues/95 The issue comes from semgrep. You might want to bump on the upstream issue.