jstree icon indicating copy to clipboard operation
jstree copied to clipboard
verified publisher icon vakata

How can I resolve the vulnerability in JSTree's get_node flagged by Checkmarx?

Open jportilloa opened this issue 1 year ago • 2 comments

In Checkmarx, this vulnerability is flagged as follows: "The method function embeds untrusted data in generated output with jQuery, at line 962 of jstree. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page." This vulnerability arises from the following code:

else if(typeof obj === "string" && (dom = `$('#'` + obj.replace($.jstree.idregex,'\\$&'), this.element)).length && this._model.data[dom.closest('.jstree-node').attr('id')]) {
    obj = this._model.data[dom.closest('.jstree-node').attr('id')];
}

And also this:

if(as_dom) {
    obj = obj.id === $.jstree.root ? this.element : $('#' + obj.id.replace($.jstree.idregex,'\\$&'), this.element);
}

These snippets reference the following code:

$('#' + obj.replace($.jstree.idregex,'\\$&'), this.element)

And this:

$('#' + obj.id.replace($.jstree.idregex,'\\$&'), this.element)

jportilloa avatar Mar 06 '24 18:03 jportilloa

I guess those snippets could be replaced with this.element.querySelector(... but I will check and let you know.

vakata avatar Mar 12 '24 14:03 vakata

Hello, thank you for responding. Yes, I tried with this.element.querySelector(...); it no longer detects the vulnerability, but the get_node function doesn't work properly anymore.

jportilloa avatar Mar 14 '24 23:03 jportilloa

I will only be doing critical fixes in v.3 from now on. While this report sounds troublesome I struggle to find and actual exploit for this. If an actual exploit is possible I will fix this ASAP.

vakata avatar Sep 03 '24 06:09 vakata