DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

Corporate Security Scans

Corporate Security Scans

krutovdlkrutovdl Posts: 51Questions: 9Answers: 1
edited June 2023 in DataTables 1.10

My company is flagging security violations to code in datatables,js.

Here is the code snippet in question from my company:
wwwroot/lib/datatables/datatables.js:8412

        if ( loaded && loaded.childRows ) {
            api
                .rows( $.map(loaded.childRows, function (id){
                    return id.replace(/:/g, '\\:')
This does not escape backslash characters in the input.
CodeQL
                }) )
                .every( function () {
                    _fnCallbackFire( context, null, 'requestChild', [ this ] )

Error messages shown:
Sanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.

However, directly using the string replace method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.

In the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.

Even if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.

Description of problem:
My company is upgrading its applications and is getting more strict on security. Please give suggesstions or possible solutions to fulfill my company's ever growing security enforcement.

Replies

  • allanallan Posts: 63,489Questions: 1Answers: 10,470 Site admin

    I'm not clear on why anything in that regex would need to be escaped? It is simply checking that the id parameter itself gets escaped - a colon is valid as a DOM id, but it causes issues with CSS selectors. There is no user input there, no SQL query.

    It sounds to me like the security scanner has flagged a false positive.

    If you can see how it is a security issue, I'm all ears and would be happy to make whatever changes are needed in DataTables, but I don't see how that is the case here.

    Allan

  • allanallan Posts: 63,489Questions: 1Answers: 10,470 Site admin

    The ironic thing is that the \\ is escaping a single \. I'm just not getting it...

    Allan

  • krutovdlkrutovdl Posts: 51Questions: 9Answers: 1

    That is excellent and thank you for confirming what we were already thinking. Please close this discussion.

Sign In or Register to comment.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.