ASP.NET MVC 2021.3.1109 Security

1 Answer 14 Views
Grid Security
David
Top achievements
Rank 1
David asked on 03 Jan 2022, 09:00 PM | edited on 06 Jan 2022, 03:47 PM

A security scan caught security vulnerabilities on several javascript files included with ASP.NET MVC version 2021.3.1109:

[1] kendo 2021.3.1109 kendo.dataviz.map.min.js

"The application's tileTitle:this._tileTitle}},wrapIndex:function embeds untrusted data in the generated output with location, at line 26"

[2] kendo 2021.3.1109 kendo.data.min.js

"The application's e},destroyed:function embeds untrusted data in the generated output with wrapAll, at line 26"

[3] kendo 2021.3.1109 kendo.aspnetmvc.min.js

"The application's !function embeds untrusted data in the generated output with href, at line 25"

[4] kendo 2021.3.1109 kendo.mobile.min.js

"The application's r.rightElement=n embeds untrusted data in the generated output with inArray, at line 35"

Can I safely exclude these files from my project?

Thanks.

1 Answer, 1 is accepted

Sort by
0
Georgi
Telerik team
answered on 06 Jan 2022, 03:48 PM | edited on 06 Jan 2022, 03:52 PM

 

Hello David,

Looking at the reports, I believe it is safe to say that they are false positives. Below I will give some explanation for every file:

1. The report says that untrusted data is embedded, actually, the data comes from your configuration:


Even if someone modifies the setting in their browser, the change will not persist, thus it is not possible to harm another user.

2. Similar to the first point, the destroyed data is not untrusted as it is created by the dataSource.

3. The report point to the usage of location.href code logic. This part of the code is used only in one scenario, a grid with server binding, and in this case, we do need to alter the parameters in order to reflect the changes to the UI. The URL is generated depending on the grid's state, thus the data is again safe. Nevertheless, if you are not using server binding, this piece of code will never run.

4. In this scenario the untrusted data is actually a few dom elements created by us.

Finally, removing these files is not an option for you. Removing the map script means that you will be no longer able to use the Map component. The aspnetmvc script contains a handler that every single component uses, data,js contains the dataSource, so every data bound component needs it.

I hope this answers your question.

 

Regards,
Georgi
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Tags
Grid Security
Asked by
David
Top achievements
Rank 1
Answers by
Georgi
Telerik team
Share this question
or