0

I am running Synopsys' Coverity scanning tool and it says the following function needs to sanitize "success". I have tried DomPurify, DomParser etc and all it does is break the UI. Any help would be wonderful.

$.ajax({
   url: window.paramFormRoleView.UrlGetIsoData,
   success: function (response) {
     bindIsosDropDown(response);
   }
 });

Here is the function for bindIsosDropDown

function bindIsosDropDown(isoData) {

var isoDropDownHtml = "";

if (window.existingAssociatedIsos !== null && window.existingAssociatedIsos !== "") {

    var existingAssociatedIsosArr = window.existingAssociatedIsos.split(',').map(Number);

    $(isoData).each(function (index, iso) {

        isoDropDownHtml += '<option value="' + iso.IsoId + '"' + (($.inArray(iso.IsoId, existingAssociatedIsosArr) > -1) ? 'Selected' : '') + '>' + iso.LegalName + '</option>';

    });

} else {

    $(isoData).each(function (index, iso) {

        isoDropDownHtml += '<option value="' + iso.IsoId + '">' + iso.LegalName + '</option>';

    });

}

$("#ddlIsoList").html(isoDropDownHtml);

$(".multiselect").multiselect({ noneSelectedText: 'Select ISO' });

manageIsosAndRoles();

}

TJG
  • 1
  • 2
  • What is the definition of `bindIsosDropDown`? – Scott McPeak Jun 29 '22 at 02:53
  • It pulls in options into a dropdown. The options are checkboxes and it allows a admin to select a sub role for the user. – TJG Jun 29 '22 at 16:45
  • I believe the problem is in `bindIsosDropDown` since it takes `response` as a parameter. Please add its definition to your question (click "Edit"). – Scott McPeak Jun 30 '22 at 01:10

1 Answers1

0

Problem

The bindIsosDropDown function is insecure. It accepts isoData as a parameter, but that comes directly from the network, so it is "tainted" (potentially under attacker control). It then concatenates elements of isoData to make HTML in these lines of code (and elsewhere):

$(isoData).each(function (index, iso) {
    isoDropDownHtml += '<option value="' + iso.IsoId + '"' + ...;
});

If isoData is, for example (in JSON syntax):

[
  { IsoId: "\"><script>alert('Gotcha!')</script><option value=\"" }
]

then isoDropDownHtml will be:

<option value=""><script>alert('Gotcha!')</script><option value="" ...

and consequently the browser will execute the attacker payload (here just an alert message, but it could be any malicious code).

Solution

Typically, you want to escape any HTML metacharacters that might be in the tainted data so they cannot break out of the syntactic context, which in this case is a double-quoted attribute value. The question Escaping HTML strings with jQuery has several suggestions for specific ways to do that.

Assuming you use one of those suggestions, and therefore have a function called escapeHtml that will escape HTML metacharacters, you can use it like this:

$(isoData).each(function (index, iso) {
    isoDropDownHtml += '<option value="' + escapeHtml(iso.IsoId) + '"' + ...;
    //                                     ^^^^^^^^^^
});

If you now work through what happens with the example isoData from before, you will see that the IsoId gets properly encoded as an HTML attribute value, and consequently no executable Javascript gets delivered.

Note that you have to escape tainted data like this everywhere in the application that might handle it. It is not enough to fix one instance, or even all of the instances that Coverity (or any tool) can detect. If the code in the question is typical of the application, there are probably many more places that are vulnerable, so a careful and systematic review is warranted.

Scott McPeak
  • 8,803
  • 2
  • 40
  • 79