"Incomplete multi-character sanitization"
"Incomplete multi-character sanitization"
cicko
Posts: 3Questions: 1Answers: 0
Description of problem:
We are using DataTables.net in a c# project and the code security scanner reports several issues. One of them is Incomplete multi-character sanitization (js/incomplete-multi-character-sanitization). How do you normally go about such reports?
The reported line is in dataTables.js:2440,
else if ( sType == "html" )
{
return sData.replace(/[\r\n]/g," ").replace( /<.*?>/g, "" );
}
else if ( typeof sData === "string" )
The description and the recommendation below.
Description
Sanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.
Attackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.
Recommendation
To prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.
If a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.
Answers
The file is jquery.dataTables.js, version 1.9.4
All reported instances are at lines:
No longer supported. It was released in 2012 and has long since been outdated.
2.0.5 is the current release and should pass CodeQL cleanly (which it appears is what you are using?).
Allan