Could anyone explain why VeraCode appears to think using name as a public property is a bad idea and propose a good comment for mitigation?
the code (JavaScript):
var BatchTask = (function () {
function BatchTask(batchOrTask, isBatch) {
if (isBatch) {
...
}
else {
var task = batchOrTask;
this.name = task.name; // flaw identified on this line
}
}
return BatchTask;
}());
the flaw: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Attack Vector: name
Description: This call to name() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
After a consultation with Veracode, they have confirmed this is a false-negative and is a bug in their engine they will look into.