Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit fb5e13b

Browse files
erik-kroghmchammer01
erik-krogh
and
mchammer01
authored
Apply suggestions from doc review
Co-authored-by: mc <[email protected]>
1 parent 5e060fa commit fb5e13b

1 file changed

Lines changed: 7 additions & 7 deletions

File tree

javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,28 +6,28 @@
66
<p>
77
Downloading executeables or other sensitive files over an unencrypted connection
88
can leave a server open to man-in-the-middle attacks (MITM).
9-
Such a man-in-the-middle attack can allow an attacker to insert arbitary content
10-
into the downloaded file, and in the worst case allow the attacker to execute
11-
arbitary code on the vulnerable system.
9+
Such an attack can allow an attacker to insert arbitrary content
10+
into the downloaded file, and in the worst case, allow the attacker to execute
11+
arbitrary code on the vulnerable system.
1212
</p>
1313
</overview>
1414
<recommendation>
1515
<p>
16-
Use a secure transfer protocol when downloading executeables or other sensitive files.
16+
Use a secure transfer protocol when downloading executables or other sensitive files.
1717
</p>
1818
</recommendation>
1919
<example>
2020
<p>
21-
In this example a server downloads a shell script from a remote URL using the <code>node-fetch</code>
21+
In this example, a server downloads a shell script from a remote URL using the <code>node-fetch</code>
2222
library, and then executes this shell script.
2323
</p>
2424
<sample src="examples/insecure-download.js" />
2525
<p>
2626
The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded
27-
shell script with arbitary code, which allows the attacker complete control over the attacked system.
27+
shell script with arbitrary code, which gives the attacker complete control over the system.
2828
</p>
2929
<p>
30-
The issue has been fixed in the below example by replacing the HTTP protocol with the HTTPS protocol.
30+
The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.
3131
</p>
3232
<sample src="examples/insecure-download.js" />
3333
</example>

0 commit comments

Comments
 (0)