Improper code sanitization¶
ID: js/bad-code-sanitizationKind: path-problemSecurity severity: 6.1Severity: errorPrecision: highTags: - security - external/cwe/cwe-094 - external/cwe/cwe-079 - external/cwe/cwe-116Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Using string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.
Recommendation¶
If usingJSON.stringify or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.
Example¶
The example below constructs a function that assigns the number 42 to the propertykey on an objectobj. However, ifkey contains</script>, then the generated code will break out of a</script> if inserted into a</script> tag.
functioncreateObjectWrite(){constassignment=`obj[${JSON.stringify(key)}]=42`;return`(function(){${assignment}})`// NOT OK}
The issue has been fixed by escaping potentially dangerous characters, as shown below.
constcharMap={'<':'\\u003C','>':'\\u003E','/':'\\u002F','\\':'\\\\','\b':'\\b','\f':'\\f','\n':'\\n','\r':'\\r','\t':'\\t','\0':'\\0','\u2028':'\\u2028','\u2029':'\\u2029'};functionescapeUnsafeChars(str){returnstr.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g,x=>charMap[x])}functioncreateObjectWrite(){constassignment=`obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;return`(function(){${assignment}})`// OK}
References¶
OWASP:Code Injection.
Common Weakness Enumeration:CWE-94.
Common Weakness Enumeration:CWE-79.
Common Weakness Enumeration:CWE-116.