5

I am working on fixing a potential security issue. I ran my HP fortify SCA and I got a critical priority report on my jquery.js file.

Category : Dynamic Code Evaluation: Code Injection (3 Issues).

I looked at the source code and it turns out to be the line where the setTimeout() eval code sits. 

if (s.async && s.timeout) {
    timeoutTimer = setTimeout( function() {
        jqXHR.abort("timeout");
    }, s.timeout );
}

with a try catch block preceding.

I did a couple of digging and they say do not mess with the third party source code, you may be tampering with other functionalities. I'm thinking just suppress and move on? I usually do not like to suppress critical.

Any ideas?

Alexander O'Mara
  • 8,774
  • 6
  • 34
  • 38
A1a5h3
  • 53
  • 1
  • 1
  • 3
  • Are you sure that's the code it is complaining about? I don't see any code evaluation going on there. – Alexander O'Mara Feb 20 '17 at 16:58
  • The jquery.js file interprets unvalidated user input as source code on that line.Interpreting user-controlled instructions at run-time can allow a malicious attacker executes his code. – A1a5h3 Feb 20 '17 at 17:03
  • Technically, it's defining an anonymous function, which, if performed carelessly, can allow for dynamic execution. I would suspect an overly conservative rule picking up on this - and I'd guess that HP have seen this before, given how prevalent jquery is. – Matthew Feb 20 '17 at 17:04
  • 1
    *"The jquery.js file interprets unvalidated user input as source code on that line."* I can confirm this code is not doing that. That's also a very bold claim it is making, seeing as no user input is seen on these lines. Perhaps that just what it says every time it sees `setTimeout` (setTimeout could evaluate code, if passed a string)? If that's the case, this tool is garbage. – Alexander O'Mara Feb 20 '17 at 17:06

1 Answers1

6

It's a false positive.

Reporting false code injection vulnerabilities is a well-known problem with HP Fortify and has confused developers before. Fortify just does basic static analysis of the Javascript code and can't go arbitrarily deep to understand how it works. As @AlexanderOMara suggested, it just seems to discover the potentially dangerous setTimeout() function which can, as setInterval(), take a string argument that would be executed as code, just like eval() does. This the sort of vulnerability, the tool aims to discover:

setTimeout('alert(' + document.location.hash.split('#')[1] + ')', 0);

But in your case there is no user-supplied, unfiltered input to the setTimeout() function and it therefore looks safe. Leaving you with a great conclusion from the linked thread:

My advice is to stop running HP fortify reports. Or pay the five thousand, or whatever dollars to go to their classes so you could actually understand their malarkey.

Arminius
  • 43,922
  • 13
  • 140
  • 136