Order-number-14977176: Fortify audit 28 issues(eg. cross-site scripting:DOM...)


#1

Package: lib.dhtmlxSuite.codebase
lib/dhtmlxSuite/codebase/dhtmlx.js, line 9 (Cross-Site Scripting: DOM)
Issue Details Critical
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.rows[‘1’].cells[’?’].firstChild
From: sortField
Sink Details
Sink: Assignment to cel.src
Enclosing Method: sortField()
Taint Flags: DATABASE, XSS
lib/dhtmlxSuite/codebase/dhtmlx.js, line 9 (Cross-Site Scripting: DOM)
Issue Details Critical
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.rows[’?’].innerHTML
From: printView
Sink Details
Sink: write(0)
Enclosing Method: printView()
Taint Flags: DATABASE, XSS
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.obj.rows[’?’]
From: adjustColumnSize
Sink Details
Sink: Assignment to r.innerHTML
Enclosing Method: adjustColumnSize()
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.rows[‘1’].cells[’?’].firstChild
From: sortField
Sink Details
Sink: Assignment to cel.src
Enclosing Method: sortField()
Taint Flags: DATABASE, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read c.xmlDoc.responseText
From: _process_html
Sink Details
Sink: Assignment to a.innerHTML
Enclosing Method: _process_html()
Taint Flags: WEB, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.ftr.childNodes[‘0’].rows[’?’].innerHTML
From: printView
Sink Details
Sink: write(0)
Enclosing Method: printView()
Taint Flags: DATABASE, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this._fake.ftr.childNodes[‘0’].rows[’?’].innerHTML
From: printView
Sink Details
Sink: write(0)
Enclosing Method: printView()
Taint Flags: DATABASE, XSS
Source Details
Source: Read this.hdr.rows[‘1’].cells[’?’].firstChild
From: sortField
Sink Details
Sink: Assignment to celT.src
Enclosing Method: sortField()
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.rows[‘1’].cells[’?’]
From: printView
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.rows[’?’].childNodes
From: printView
Sink Details
Sink: write(0)
Enclosing Method: printView()
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read document.location.pathname
From: printView
Sink Details
Sink: write(0)
Enclosing Method: printView()
Taint Flags: VALIDATED_OPEN_REDIRECT, WEB, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this._fake.hdr.rows[’?’].innerHTML
From: printView
Sink Details
Sink: write(0)
Enclosing Method: printView()
Taint Flags: DATABASE, XSS

lib/dhtmlxSuite/codebase/dhtmlx.js, line 9 (Dynamic Code Evaluation: Code
Injection) Critical
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read xml.xmlDoc.responseText
From: lambda
Sink Details
Sink: eval()
Enclosing Method: lambda()
Taint Flags: WEB, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read xml.responseText
From: XMLLoader
Sink Details
Sink: eval()
Enclosing Method: XMLLoader()
Taint Flags: WEB, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.base.firstChild.value
From: _filterOpts
Sink Details
Sink: setTimeout(0)
Enclosing Method: _filterOpts()
Taint Flags: WEB, XSS
lib/dhtmlxSuite/codebase/dhtmlx.js, line 9 (Dynamic Code Evaluation: Code
Injection) Critical
Source: Read q.rows[’?’]
From: _createHRow
Sink Details
Sink: setTimeout(0)
Enclosing Method: _createHRow()
Taint Flags: DATABASE, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read data.responseText
From: _process_json
Sink Details
Sink: eval()
Enclosing Method: _process_json()
Taint Flags: WEB, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.base.firstChild.value
From: _cancelSelect
Sink Details
Sink: setTimeout(0)
Enclosing Method: _filterOpts()
Taint Flags: WEB, XSS
Source: Read h.value
From: _ccDo
Sink Details
Sink: setTimeout(0)
Enclosing Method: _ccDo()
Taint Flags: WEB, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.base.firstChild.value
From: _confirmSelect
Sink Details
Sink: setTimeout(0)
Enclosing Method: _filterOpts()
Taint Flags: WEB, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.base.firstChild.value
From: _confirmSelect
Sink Details
Sink: setTimeout(0)
Enclosing Method: _filterOpts()
Taint Flags: WEB, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.proto.proto.rows[’?’].cells[’?’]
From: setSortImgPos
Sink Details
Sink: setTimeout()
Enclosing Method: doOnScroll()
Taint Flags: DATABASE, NUMBER
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.proto.proto.rows[’?’].cells[’?’]
From: setSortImgPos
Sink Details
Sink: setTimeout(0)
Enclosing Method: doOnScroll()
Taint Flags: DATABASE, NUMBER
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.proto.proto.rows[’?’]
From: setSortImgState
Sink Details
Sink: setTimeout()
Enclosing Method: doOnScroll()
Taint Flags: DATABASE, NUMBER
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.proto.proto.rows[’?’].cells[’?’]
From: setSortImgPos
Sink Details
Sink: setTimeout()
Enclosing Method: doClick()
Taint Flags: DATABASE, NUMBER
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.proto.proto.rows[’?’]
From: setSortImgState
Sink Details
Sink: setTimeout(0)
Enclosing Method: doOnScroll()
Taint Flags: DATABASE, NUMBER
lib/dhtmlxSuite/codebase/dhtmlx.js, line 9 (Open Redirect) Critical
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.rows[‘1’].cells[’?’].firstChild
From: sortField
Sink Details
Sink: Assignment to cel.src
Enclosing Method: sortField()
Taint Flags: DATABASE, XSS
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.rows[‘1’].cells[’?’].firstChild
From: sortField
Sink Details
Sink: Assignment to cel.src
Enclosing Method: sortField()
Taint Flags: DATABASE, XSS
lib/dhtmlxSuite/codebase/dhtmlx.js, line 9 (Open Redirect) Critical
Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.rows[‘1’].cells[’?’].firstChild
From: sortField
Sink Details
Sink: Assignment to celT.src
Enclosing Method: sortField()
Taint Flags: DATABASE, XSS


#2

Answered in the support system:

I’ve checked your indicated results.

  1. The issue in sortField() function cannot be the security problem as it only reads the index of the html table header cell and does not write anything to the DOM.

  2. The purpose of the printView() method is to create a html-table on the base of the dhtmlxGrid. There is no other way to generate a print-friendly view. If you don’t trust this method you may just don’t use it (this method does not call automatically from the sources, so the direct calling is the only way) or completely remove it from the sources by yourself.

  3. this.obj.rows[i] from the adjustColumnSize() method also only reads the html-content (takes the number of rows in the grid) and not write anything to the DOM, so it cannot cause the security problems.

  4. XMLLoader() method uses to perform the ajax request to parse the data to the component from the server, so it takes the responseText to display the loaded the data. It is not writing to the server anything, so if you trust your backend the method cannot cause the security problems.
    DHTMLX library will include the data received from the server in the HTML output ( for example content of the cells in case of grid is loaded from the server ), without extra filtering. It is expected that data received from the server is xss free

5, 6. Unfortunately, we cannot find any security problem of the setTimeout method calling.

  1. The mentioned line:
parent.rows[1].style.display=‘none’;

cannot cause a security problem.

  1. the mentioned “this.hdr.rows[1].cells[el._cellIndex].firstChild;” operates with the initiated before sorting state image of the grid column. The user has no direct access to that element. It also does not cause security problems.

#3

Hi sematik,
here is the rest issues detail below:
“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read c.xmlDoc.responseText
From: _process_html
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: Assignment to a.innerHTML
Enclosing Method: _process_html()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: WEB, XSS”

Dynamic Code Evaluation: Code Injection
“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read xml.xmlDoc.responseText
From: lambda
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: eval()
Enclosing Method: lambda()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: WEB, XSS”

“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.base.firstChild.value
From: _filterOpts
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: setTimeout(0)
Enclosing Method: _filterOpts()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: WEB, XSS”

“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read q.rows[’?’]
From: _createHRow
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: setTimeout(0)
Enclosing Method: _createHRow()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: DATABASE, XSS”

“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read data.responseText
From: _process_json
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: eval()
Enclosing Method: _process_json()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: WEB, XSS”

“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.base.firstChild.value
From: _cancelSelect
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: setTimeout(0)
Enclosing Method: _filterOpts()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: WEB, XSS”

“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read h.value
From: _ccDo
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: setTimeout(0)
Enclosing Method: _ccDo()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: WEB, XSS”

“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.proto.proto.rows[’?’].cells[’?’]
From: setSortImgPos
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: setTimeout()
Enclosing Method: doOnScroll()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: DATABASE, NUMBER”

“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.proto.proto.rows[’?’]
From: setSortImgState
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: setTimeout()
Enclosing Method: doOnScroll()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: DATABASE, NUMBER”

“Issue Details
Kingdom: Input Validation and Representation
Scan Engine: SCA (Data Flow)
Source Details
Source: Read this.hdr.proto.proto.rows[’?’].cells[’?’]
From: setSortImgPos
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9” “Sink Details
Sink: setTimeout()
Enclosing Method: doClick()
File: lib/dhtmlxSuite/codebase/dhtmlx.js:9
Taint Flags: DATABASE, NUMBER”