search

vakata / jstree

jquery tree plugin
http://jstree.com
MIT License
5.13k stars 1.39k forks source link

How can I resolve the vulnerability in JSTree's get_node flagged by Checkmarx? #2775

Closed jportilloa closed 1 week ago

jportilloa commented 6 months ago

In Checkmarx, this vulnerability is flagged as follows: "The method function embeds untrusted data in generated output with jQuery, at line 962 of jstree. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page." This vulnerability arises from the following code:

else if(typeof obj === "string" && (dom = `$('#'` + obj.replace($.jstree.idregex,'\\$&'), this.element)).length && this._model.data[dom.closest('.jstree-node').attr('id')]) {
    obj = this._model.data[dom.closest('.jstree-node').attr('id')];
}

And also this:

if(as_dom) {
    obj = obj.id === $.jstree.root ? this.element : $('#' + obj.id.replace($.jstree.idregex,'\\$&'), this.element);
}

These snippets reference the following code:

$('#' + obj.replace($.jstree.idregex,'\\$&'), this.element)

And this:

$('#' + obj.id.replace($.jstree.idregex,'\\$&'), this.element)

vakata commented 6 months ago

I guess those snippets could be replaced with this.element.querySelector(... but I will check and let you know.

jportilloa commented 6 months ago

Hello, thank you for responding. Yes, I tried with this.element.querySelector(...); it no longer detects the vulnerability, but the get_node function doesn't work properly anymore.

vakata commented 1 week ago

I will only be doing critical fixes in v.3 from now on. While this report sounds troublesome I struggle to find and actual exploit for this. If an actual exploit is possible I will fix this ASAP.