Thank you both for your help, it's much appreciated!
This should hopefully be enough. :)
On Saturday, 25 November 2017 00:00:28 UTC+11, Thomas Broyer wrote:
>
>
>
> On Friday, November 24, 2017 at 3:13:08 AM UTC+1, Aleks wrote:
>>
>> Hi,
>>
>> we are currently going through a security audit and as part of that doing
>> static code scans. The scanner has returned two issues with the
>> GWT-generated <module>.nocache.js files.
>>
>> We can't really fix these as they are generated, but were hoping we could
>> challenge them if we had a good explanation or some "official" GWT resource
>> suggesting the code is actually safe.
>> I have found some previous posts on similar or same issues, but was
>> hoping I could get a response more relevant to the version we are using (
>> *2.8.1*) or an official resource (perhaps results of other
>> scans/security audits?).
>>
>>
>> Below are the two issues with explanations and the code lines.
>>
>> *1. Cross Site Scripting*
>>
>> *Description: *The method f() in <module>.nocache.js sends unvalidated
>> data to a web browser on line 13, which can result in the browser executing
>> malicious code.Sending unvalidated data to a web browser can result in the
>> browser executing malicious code.
>>
>> *Code: *function f(a){if(a.match(/^\w+:\/\//)){}else{var
>> b=r.createElement(Gb);b.src=a+Hb;a=e(b.src)}return a}
>>
>
> This would come from here:
> https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/computeScriptBase.js#L49-L62
> It's used at
> https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/computeScriptBase.js#L115
>
> so it's never "user input" (comes from the DOM, at load time)
>
>
>> *2. Dynamic Code Evaluation - Code Injection*
>>
>> *Description: *The file webadmin.nocache.js interprets unvalidated user
>> input as source code on line 15. Interpreting user-controlled instructions
>> at run-time can allow attackers to execute malicious code.Interpreting
>> user-controlled instructions at run-time can allow attackers to execute
>> malicious code.
>>
>> *Code*:
>> if(m.addEventListener){m.addEventListener($b,function(){H();M()},false)}var
>> L=setInterval(function(){if(/loaded|complete/.test(m.readyState)){H();M()}},50);n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Q,millis:(new
>>
>> Date).getTime(),type:W});n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Nb,millis:(new
>>
>> Date).getTime(),type:R});m.write(_b)}
>>
>
> This comes from
> https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/waitForBodyLoaded.js,
>
>
> https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/isBodyLoaded.js,
>
> and
> https://github.com/gwtproject/gwt/blob/2.8.1/dev/core/src/com/google/gwt/core/ext/linker/impl/installLocationIframe.js#L52
>
> I believe.
> Again, nothing that comes from "user input".
>
> (I'm assuming the default configuration here)
>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
