PDA

View Full Version : HP Fortify Reports 2 Critical Issues with ExtJS 4.x Framework (Eval Present)



PaulBt
24 Feb 2015, 5:12 AM
Hi,

As part of securing the application I work on, we run a HP Fortify scan on all the code. Any issues reported with our own custom code can be fixed - that's fine.

However, HP Fortify reports two critical issues related to inherent ExtJS code (both categorized as "Dynamic Code Evaluation: Code Injection"). One file is within the 'ext' folder and one is automatically generated code in bootstrap.js (root folder). Both contain the 'eval' method - as is commonly preached, eval is considered evil and HP Fortify places it high on the risk list.

Since these issues are present in the ExtJS framework itself (and therefore not supposed to be edited), can anyone shed light on how best to resolve these critical security issues?

If either are considered false positives, can you provide a clear explanation why since any false positives need to be signed off with a strong explanation for not refactoring the code.


Details of files:

File: /ext/src/ux/ajax/SimXhr.js
Line 130: eval(text);
HP Fortify Abstract: The file SimXhr.js interprets unvalidated user input as source code on line 103. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

File: bootstrap.js
Line: var options = eval("(" + xhr.responseText + ")"),
HP Fortify Abstract: The file bootstrap.js interprets unvalidated user input as source code on line ####. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

ExtJS Version: 4.1.2 (though the issues may be present in all 4.x versions)


Thanks in advance!

skirtle
25 Feb 2015, 3:37 PM
Both of those files are usually used for development and testing only. Are you using them in production?