1
votes

Could anyone explain why VeraCode appears to think using name as a public property is a bad idea and propose a good comment for mitigation?

the code (JavaScript):

var BatchTask = (function () {
    function BatchTask(batchOrTask, isBatch) {    
        if (isBatch) {
            ...
        }
        else {
            var task = batchOrTask;
            this.name = task.name; // flaw identified on this line
        }
    }
    return BatchTask;
}());

the flaw: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Attack Vector: name

Description: This call to name() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.

1
did you Escape the incoming data (task.name)?Caspar Kleijne
after a consultation with Veracode people they have confirmed this is a false-negative and is a bug in their engine they will look into.Иван Грозный
please create an answer for that, accept that own answer, thanks.Caspar Kleijne

1 Answers

2
votes

After a consultation with Veracode, they have confirmed this is a false-negative and is a bug in their engine they will look into.