Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: EE-4.2.0.GA, EE-3.3.0.GA_P05
-
Fix Version/s: 4.3, EE-3.3.0.GA_P06
-
Component/s: ACE-Components
-
Labels:None
-
Environment:Any
-
Affects:Documentation (User Guide, Ref. Guide, etc.)
Description
A customer has reported that a static security analysis has found a potential problem in our fileEntry.js file.
The report of the flaw is as follows:
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed.
Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.
References: CWE (http://cwe.mitre.org/data/definitions/95.html)
The report of the flaw is as follows:
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed.
Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.
References: CWE (http://cwe.mitre.org/data/definitions/95.html)
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
r51892, r51893: replaced use of eval() for custom string parsing, in order to avoid possible security risks; committed to 4.0 trunk and 3.3 EE maintenance branch
Testing notes: the way to test this is simply verifying that the progress feature continues to work normally. Running all regression tests is a good idea as well. With the absence of the eval() function, there's no risk any more.
Show
Arturo Zambrano
added a comment - - edited r51892, r51893: replaced use of eval() for custom string parsing, in order to avoid possible security risks; committed to 4.0 trunk and 3.3 EE maintenance branch
Testing notes: the way to test this is simply verifying that the progress feature continues to work normally. Running all regression tests is a good idea as well. With the absence of the eval() function, there's no risk any more.
Verified ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51921, Tomcat 8, MS Edge, IE 11, 10, 9, 8, FF 53, Chrome 60.