Friday, November 24, 2017

Re: Code Scanner Reporting Vulnerabilities on GWT-generated code

On Friday, November 24, 2017 at 3:13:08 AM UTC+1, Aleks wrote:

we are currently going through a security audit and as part of that doing static code scans. The scanner has returned two issues with the GWT-generated <module>.nocache.js files.

We can't really fix these as they are generated, but were hoping we could challenge them if we had a good explanation or some "official" GWT resource suggesting the code is actually safe. 
I have found some previous posts on similar or same issues, but was hoping I could get a response more relevant to the version we are using (2.8.1)  or an official resource (perhaps results of other scans/security audits?). 

Below are the two issues with explanations and the code lines.

1. Cross Site Scripting

Description: The method f() in <module>.nocache.js sends unvalidated data to a web browser on line 13, which can result in the browser executing malicious code.Sending unvalidated data to a web browser can result in the browser executing malicious code.

Code: function f(a){if(a.match(/^\w+:\/\//)){}else{var b=r.createElement(Gb);b.src=a+Hb;a=e(b.src)}return a}

This would come from here:
It's used at so it's never "user input" (comes from the DOM, at load time)
2. Dynamic Code Evaluation - Code Injection

Description: The file webadmin.nocache.js interprets unvalidated user input as source code on line 15. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

Codeif(m.addEventListener){m.addEventListener($b,function(){H();M()},false)}var L=setInterval(function(){if(/loaded|complete/.test(m.readyState)){H();M()}},50);n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Q,millis:(new Date).getTime(),type:W});n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Nb,millis:(new Date).getTime(),type:R});m.write(_b)}

This comes from,, and I believe.
Again, nothing that comes from "user input".

(I'm assuming the default configuration here)

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment