search

jakerella / jquery-mockjax

The jQuery Mockjax Plugin provides a simple and extremely flexible interface for mocking or simulating ajax requests and responses
Other
2.12k stars 376 forks source link

safety information when using scan owasp 2017 #350

Closed ducmanhkthd closed 4 years ago

ducmanhkthd commented 4 years ago

error Code Injection Sink: ~JS_Generic.globalEval() Enclosing Method: processJsonpRequest() line error: $.globalEval( '(' + JSON.stringify( mockHandler.responseText ) + ')'); and $.globalEval( '(' + mockHandler.responseText + ')');

// If the response handler on the moock is a function, call it if ( mockHandler.response && $.isFunction(mockHandler.response) ) { mockHandler.response(origSettings); } else { // Evaluate the responseText javascript in a global context if( typeof mockHandler.responseText === 'object' ) { $.globalEval( '(' + JSON.stringify( mockHandler.responseText ) + ')'); } else { $.globalEval( '(' + mockHandler.responseText + ')'); } } Can you fix help me!

jakerella commented 4 years ago

Yeah, I can see why this would show up on a security scan. Generally speaking, global eval is a nasty thing. However, since Mockjax is intended to be used in testing environments only and not as part of your codebase, I do not consider this a security threat. I recommend adding an ignore to your scan for mockjax... and not using mockjax in your project other than as a testing aide.

ducmanhkthd commented 4 years ago

Thank you, I chose the solution not using mockjax while I scan owasp.