Search code examples
javascripthtmlxsscheckmarxdompurify

Why does checkmarx not passing XSS vulnerability after using DOMPurify?

I am scanning a project for vulnerabilities using Checkmarx, I am unable to clear XSS vulnerabilities using DOMPurify in JS file.

Example code:

function purifyDOM(tag){
    var dom_purify = DOMPurify.sanitize(tag, {ALLOWED_TAGS: ['tr', 'th', 'td', 'a', 'div', 'table', 'option', 'html', 'i']})
    return dom_purify
}

function attribute_render(data){
   var attribute = data['attribute_path']
   var cleaned_tag = purifyDOM(attribute)
   $('#attributename').html(cleaned_tag)
}

I see below information in scanned report.

Client DOM Stored XSS\Path 11:

The application's attribute_render embeds untrusted data in the generated output with html, at line 1233 of webapp/ktc_app/static/assets/js/customjs.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

Why is it? Can I move on with other methods to clear XSS vulnerabilities?

Solution

  • It might be a false positive.

    However, it might be an old version of DOMPurify that has a security issues. There are known issues with older versions see this: https://security.snyk.io/package/npm/dompurify

    If you are feeling paranoid (which is the right way to feel as a developer), test your code by trying to add inline javascript inside of a user text entry field or whereever you data comes from and see if you can get the code to execute. Try removing sanitation, verify your javascript exploit works, and then add the sanitation back and verify you protected against it. Just because you protected against your exploit, doesn't mean it protects against all exploits but you are on the right track.

    You may also want to consider being more strict on entry fields, and checking the fields earlier than in your final render code. For example do checks on individual fields like "Name should only be an AlphaNumeric with spaces" and "Date should only be numbers and dashes" and then using verified fields to then build the render html. That way your protection isn't using a "soft" method like DOMPurify which tries to accept most things, it uses a "hard" method that is as strict as you can be field by field.

    Finally in the release notes for checkmarx version 9.4.5 they show better handling for false positives related to DomPurify, it might be a known issue depending on which version of the scanner you are using: https://checkmarx.com/resource/documents/en/34965-81296-release-notes-for-engine-pack--ep--9-4-5-patches.html

    Good Luck.