Friday, November 24, 2017

Re: Code Scanner Reporting Vulnerabilities on GWT-generated code



On Friday, November 24, 2017 at 3:13:08 AM UTC+1, Aleks wrote:
Hi,

we are currently going through a security audit and as part of that doing static code scans. The scanner has returned two issues with the GWT-generated <module>.nocache.js files.

We can't really fix these as they are generated, but were hoping we could challenge them if we had a good explanation or some "official" GWT resource suggesting the code is actually safe. 
I have found some previous posts on similar or same issues, but was hoping I could get a response more relevant to the version we are using (2.8.1)  or an official resource (perhaps results of other scans/security audits?). 


Below are the two issues with explanations and the code lines.

1. Cross Site Scripting

Description: The method f() in <module>.nocache.js sends unvalidated data to a web browser on line 13, which can result in the browser executing malicious code.Sending unvalidated data to a web browser can result in the browser executing malicious code.

Code: function f(a){if(a.match(/^\w+:\/\//)){}else{var b=r.createElement(Gb);b.src=a+Hb;a=e(b.src)}return a}

This would come from here: https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/computeScriptBase.js#L49-L62
It's used at https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/computeScriptBase.js#L115 so it's never "user input" (comes from the DOM, at load time)
 
2. Dynamic Code Evaluation - Code Injection

Description: The file webadmin.nocache.js interprets unvalidated user input as source code on line 15. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

Codeif(m.addEventListener){m.addEventListener($b,function(){H();M()},false)}var L=setInterval(function(){if(/loaded|complete/.test(m.readyState)){H();M()}},50);n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Q,millis:(new Date).getTime(),type:W});n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Nb,millis:(new Date).getTime(),type:R});m.write(_b)}

This comes from https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/waitForBodyLoaded.js, https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/isBodyLoaded.js, and https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/installLocationIframe.js#L52 I believe.
Again, nothing that comes from "user input".

(I'm assuming the default configuration here)

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment