Friday, November 24, 2017

Re: Code Scanner Reporting Vulnerabilities on GWT-generated code

Hi Aleks,

SonarQube used to throw lots of warnings on GWT generated code. Upgrading to version 6.3  was enough to get rid of most warnings (there are no miracles, sometimes I get a warning or two when analyzing an app that had just a minor change in the Java code)

Hope this helps,
Rodolfo 

On Thu, Nov 23, 2017 at 11:13 PM Aleks <aleksandar.milisic@gmail.com> wrote:
Hi,

we are currently going through a security audit and as part of that doing static code scans. The scanner has returned two issues with the GWT-generated <module>.nocache.js files.

We can't really fix these as they are generated, but were hoping we could challenge them if we had a good explanation or some "official" GWT resource suggesting the code is actually safe. 
I have found some previous posts on similar or same issues, but was hoping I could get a response more relevant to the version we are using (2.8.1)  or an official resource (perhaps results of other scans/security audits?). 


Below are the two issues with explanations and the code lines.

1. Cross Site Scripting

Description: The method f() in <module>.nocache.js sends unvalidated data to a web browser on line 13, which can result in the browser executing malicious code.Sending unvalidated data to a web browser can result in the browser executing malicious code.

Code: function f(a){if(a.match(/^\w+:\/\//)){}else{var b=r.createElement(Gb);b.src=a+Hb;a=e(b.src)}return a}

2. Dynamic Code Evaluation - Code Injection

Description: The file webadmin.nocache.js interprets unvalidated user input as source code on line 15. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

Codeif(m.addEventListener){m.addEventListener($b,function(){H();M()},false)}var L=setInterval(function(){if(/loaded|complete/.test(m.readyState)){H();M()}},50);n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Q,millis:(new Date).getTime(),type:W});n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Nb,millis:(new Date).getTime(),type:R});m.write(_b)}


Thanks for your help!

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment