ICEfaces
  1. ICEfaces
  2. ICE-11362

SECURITY: Potential 'eval' injection risk in fileEntry.js

          Details

          • Type: Improvement Improvement
          • Status: Closed
          • Priority: Critical Critical
          • Resolution: Fixed
          • Affects Version/s: EE-4.2.0.GA, EE-3.3.0.GA_P05
          • Fix Version/s: 4.3, EE-3.3.0.GA_P06
          • Component/s: ACE-Components
          • Labels:
            None
          • Environment:
            Any
          • Affects:
            Documentation (User Guide, Ref. Guide, etc.)

            Description

            A customer has reported that a static security analysis has found a potential problem in our fileEntry.js file.

            The report of the flaw is as follows:

            Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

            This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed.
            Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.

            References: CWE (http://cwe.mitre.org/data/definitions/95.html)

              Activity

              Ascending order - Click to sort in descending order
              Arturo Zambrano created issue -
              Arturo Zambrano made changes -
              Field Original Value New Value
              Assignee Arturo Zambrano [ artzambrano ]
              Arturo Zambrano made changes -
              Priority Major [ 3 ] Critical [ 2 ]
              Ken Fyten made changes -
              Description FISGlobal have run a static analysis and found a potential problem in our fileEntry.js file.

              The report of the flaw is as follows:

              Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

              This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed.
              Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.

              References: CWE (http://cwe.mitre.org/data/definitions/95.html)               		A customer has reported that a static security analysis has found a potential problem in our fileEntry.js file.

              The report of the flaw is as follows:

              Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

              This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed.
              Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.

              References: CWE (http://cwe.mitre.org/data/definitions/95.html)
              Ken Fyten made changes -
              Fix Version/s 4.3 [ 13096 ]
              Fix Version/s EE-3.3.0.GA_P06 [ 13114 ]
              Hide
              Permalink
              Arturo Zambrano added a comment - - edited

              r51892, r51893: replaced use of eval() for custom string parsing, in order to avoid possible security risks; committed to 4.0 trunk and 3.3 EE maintenance branch

              Testing notes: the way to test this is simply verifying that the progress feature continues to work normally. Running all regression tests is a good idea as well. With the absence of the eval() function, there's no risk any more.

              Show
              Arturo Zambrano added a comment - - edited r51892, r51893: replaced use of eval() for custom string parsing, in order to avoid possible security risks; committed to 4.0 trunk and 3.3 EE maintenance branch Testing notes: the way to test this is simply verifying that the progress feature continues to work normally. Running all regression tests is a good idea as well. With the absence of the eval() function, there's no risk any more.
              Arturo Zambrano made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #51892 Mon Sep 11 14:42:20 MDT 2017 art.zambrano ICE-11362 replaced use of eval() for custom string parsing, in order to avoid possible security risks
              Files Changed
              Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/fileentry/fileEntry.js
              Ken Fyten made changes -
              Issue Type Bug [ 1 ] Improvement [ 4 ]
              Ken Fyten made changes -
              Summary Potential 'eval' injection risk in fileEntry.js SECURITY: Potential 'eval' injection risk in fileEntry.js
              Ken Fyten made changes -
              Affects Documentation (User Guide, Ref. Guide, etc.) [ 10003 ]
              Hide
              Permalink
              Liana Munroe added a comment -

              Verified ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51921, Tomcat 8, MS Edge, IE 11, 10, 9, 8, FF 53, Chrome 60.

              Show
              Liana Munroe added a comment - Verified ICEfaces 4 trunk, EE-3.3.0 maintenance branch r51921, Tomcat 8, MS Edge, IE 11, 10, 9, 8, FF 53, Chrome 60.
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]

                People

                • Assignee:
                  Arturo Zambrano
                  Reporter:
                  Arturo Zambrano
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: