scenario.iterationInTest results in CWE check failure

sumanta.r86 · April 5, 2023, 4:22am

Hello,
I am using shared array with scenario.iterationInTest as I can’t re-use data in my tests. Using this however is generating a security error on CWE scans, semgrep (configured in pipeline scans) as Semgrep
I am using the standard bracket object notation as below to get the data from shared array as documented
data[scenario.iterationInTest].accountNumber

How do we mitigate this ? Since scenario.iterationInTest is an index (not a property that I can replace with dot notation or put some checks prior accessing the object key)

Thanks,
Sumanta

codebien · April 7, 2023, 10:32am

Hi @sumanta.r86,
you shouldn’t mitigate it, you can just add a rule to instrument better your linter, because the k6/execution variables are generated by the k6 runtime and are not user inputs.
The quick way should be to just exclude the line for that detect-object-injection linter, instead if you have a big codebase with a lot of them, you could consider creating a more general rule in your eslint configuration.

Let me know if it helps.

Topic		Replies	Views
Can I overwrite scenario.iterationInTest? OSS Support	1	215	March 28, 2023
Using BOTH constant arrival rate functionality with shared iterations OSS Support	2	179	December 7, 2022
Question about exec.vu.idInTest OSS Support	1	476	March 14, 2023
SharedArray Data Parametrization usage OSS Support	2	67	May 1, 2023
Scenario __ENV variables are undefined when iterations or duration is provided OSS Support	5	488	May 12, 2022

scenario.iterationInTest results in CWE check failure

Related topics