Webcombo Security issue

sphinxg@usa.net — Thu, 23 Nov 2023 12:11:16 GMT

Hi,

I am using Intersoft webcombo in my ASP.Net Web application.

I am checking the application security using the tool semgrep for SAST (Static Application Security Testing).

While testing I face the below errors. The JavaScript generated by the webcombo is causing the issue .

Please help me to solve these issues.

Files in which error occured:

· CoreValidator.js
· Core_DragDrop.js
· ISCore.js
· WebUIValidation.js
· WebCombo.js

Error Message 1:

javascript.browser.security.insecure-document-method.insecure-document-method User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities

... e.innerHTML=v;WC40Engine.InvalidateResultBox(f);return v},WriteCOLs:function(f,d){var e="";if(f.LayoutSettings.ComboMode=="MultipleColumns"){var a= ...

... b.innerHTML="<nobr>"+l.Text+"</nobr>"}}else{var h=p.Columns;for(var k=0;k<h.length;k++){var f=h[k];if(f.Hidden&&!f.RenderOnHidden){continue}var q=f ...

Error Message 2:

javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `e` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.

…RegExp(c.Pattern,"img");g=c.NewValue.match(re);if(g==null){c.NewValue=c.NewValue.replace(new RegExp("\\s+","g"),"");g=c.NewValue.match(re)}if(g== ...

Error Message 3:

javascript.browser.security.eval-detected.eval-detected Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.

al(this.getAttribute(name))}}}},_EmulateSelectionModel:function(){Object.defineProperty(HTMLDocument.prototype,"selection",{get:function(){return w ...

Error Message 4:

javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization `h.replace` method will only replace the first occurrence when used with a string argument ("$"). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.

replace("$","\\s*\\"+i+"\\s*")}else{if(j=="percent"){h=h.replace(i,"\\s*\\"+i+"\\s*")}}h="(?:^"+h.replace(new RegExp("\\s*","g"),"")+"$)";return h} ...

With Regards,

Giridhar JG

Intersoft Community - WebCombo - Webcombo Security issue

Webcombo Security issue