CodeQL documentation
CodeQL resources

Improper code sanitization

ID: js/bad-code-sanitization Kind: path-problem Security severity: 6.1 Severity: error Precision: high Tags: - security - external/cwe/cwe-094 - external/cwe/cwe-079 - external/cwe/cwe-116 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Using string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.

Recommendation

If using JSON.stringify or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.

Example

The example below constructs a function that assigns the number 42 to the property key on an object obj. However, if key contains </script>, then the generated code will break out of a </script> if inserted into a </script> tag.

functioncreateObjectWrite(){constassignment=`obj[${JSON.stringify(key)}]=42`;return`(function(){${assignment}})`// NOT OK}

The issue has been fixed by escaping potentially dangerous characters, as shown below.

constcharMap={'<':'\\u003C','>':'\\u003E','/':'\\u002F','\\':'\\\\','\b':'\\b','\f':'\\f','\n':'\\n','\r':'\\r','\t':'\\t','\0':'\\0','\u2028':'\\u2028','\u2029':'\\u2029'};functionescapeUnsafeChars(str){returnstr.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g,x=>charMap[x])}functioncreateObjectWrite(){constassignment=`obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;return`(function(){${assignment}})`// OK}

References

close