Corporate Security Scans

Corporate Security Scans

krutovdlkrutovdl Posts: 36Questions: 7Answers: 1
edited June 2023 in DataTables 1.10

My company is flagging security violations to code in datatables,js.

Here is the code snippet in question from my company:
wwwroot/lib/datatables/datatables.js:8412

        if ( loaded && loaded.childRows ) {
            api
                .rows( $.map(loaded.childRows, function (id){
                    return id.replace(/:/g, '\\:')
This does not escape backslash characters in the input.
CodeQL
                }) )
                .every( function () {
                    _fnCallbackFire( context, null, 'requestChild', [ this ] ) 

Error messages shown:
Sanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.

However, directly using the string replace method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.

In the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.

Even if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.

Description of problem:
My company is upgrading its applications and is getting more strict on security. Please give suggesstions or possible solutions to fulfill my company's ever growing security enforcement.

Replies

  • allanallan Posts: 62,211Questions: 1Answers: 10,205 Site admin

    I'm not clear on why anything in that regex would need to be escaped? It is simply checking that the id parameter itself gets escaped - a colon is valid as a DOM id, but it causes issues with CSS selectors. There is no user input there, no SQL query.

    It sounds to me like the security scanner has flagged a false positive.

    If you can see how it is a security issue, I'm all ears and would be happy to make whatever changes are needed in DataTables, but I don't see how that is the case here.

    Allan

  • allanallan Posts: 62,211Questions: 1Answers: 10,205 Site admin

    The ironic thing is that the \\ is escaping a single \. I'm just not getting it...

    Allan

  • krutovdlkrutovdl Posts: 36Questions: 7Answers: 1

    That is excellent and thank you for confirming what we were already thinking. Please close this discussion.

Sign In or Register to comment.