1

Hi I'm trying to generate breadcrumbs from the contents of window.location.pathname, everything works well except when I run the code through Veracode it's complaining that the input is untrusted.

I have tried replacing all the characters on the untrusted data with the following:

untrustedData.replace(/[^A-Za-z0-9]/g, '');

Veracode still complains. Here's roughly what I've done

const breadcrumbsElement = document.querySelector('#breadcrumbs');
const pathNames = window.location.pathname.split('/');

const sanitiseString = (string) => string.replace(/[^A-Za-z0-9]/g, '');

const addCrumb = (sanitisedRoute, element) => {
  const newCrumb = document.createElement('a');
  newCrumb.href = `/consumer/${sanitisedRoute}`;
  newCrumb.innerText = sanitisedRoute;
  element.appendChild(newCrumb);
};

pathNames.forEach((route) => {
  addCrumb(sanitiseString(route), breadcrumbsElement);
});

Here's the error it gives me:

Flaw Id: 12

Description: This call to href() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.

Remediation: Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. Both the OWASP Java Encoder library and the Microsoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping, see https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md. In addition, as a best practice, always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

Veracode is specifically complaining about the element.appendChild() and

newCrumb.href = `baseUrl${untrustedData}`;

My question is how I go about sanitising window.location.pathNames, is there a better trusted way to get the current pathNames or is this just a false positive from Veracode?

Dandelion
  • 153
  • 1
  • 9
  • Perhaps `const breadcrumbs = window.location.pathname.split('/').map(string => string.replace(/[^A-Za-z0-9]/g, '')).map(path => { const newCrumb = document.createElement('a'); newCrumb.href = \`/consumer/${path}\`; newCrumb.innerText = path; }).join(" => ")` – mplungjan May 18 '23 at 16:17
  • Thanks for your suggestion but I'm not struggling to write the code and actually the code I have does more than in this example. My issue is: I don't know why Veracode is complaining about the input (pathNames) being untrusted when I have sanitised it. – Dandelion May 18 '23 at 16:31
  • Veracode is specifically complaining about the element.appendChild() and the newCrumb.href = `baseUrl${untrustedData}` – Dandelion May 18 '23 at 16:35
  • I know it is a "dirty" solution. But you could always just add a click handler to the anchor and have that location.href to the URL. – imvain2 May 18 '23 at 16:44
  • Thanks @imvain2 that half worked! Actually I had to use `window.open(untrustedData)` to get it to pass the Veracode scan. So the anchor is working now but how can I set `element.innerText`? It should have the route in I.e. the untrusted data. – Dandelion May 23 '23 at 15:11

0 Answers0