Webix "Dynamic Code Evaluation: Code Injection" reported by HP Fortify Audit Workbench

Version: 4.2.4
File: webix.js

  1. Line 16: window.eval(t) The file webix.js interprets unvalidated user input as source code on line 16. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

  2. Line 16: window.execScript(t): The file webix.js interprets unvalidated user input as source code on line 16. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

  3. Line 17: window.setTimeout(): The file webix.js interprets unvalidated user input as source code on line 17. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.

  4. Line 103: The file webix.js interprets unvalidated user input as source code on line 103. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
    Rule ID: 9B5887B1-8619-449F-B6B1-B86FDAA0F2C6
    Taint Flags: WEB, XSS
    Direct Function Call: Function.init^()

I posted only the first item in another thread. I noticed that there are 3 other issues reported under Dynamic Code Evaluation.

Please let me know how you address these issues as it is critical for my project.

Thanks,
George

Hi,

  • (1)(4)

You can enable strict mode, which will prevent usage of window.eval
https://docs.webix.com/api__env_strict_other.html

Other cases are by design and do not expose real vulnerabilities

  • (2) execScript is used for loading eternal js files through webix.require
  • (3) used to delay user’s code

Thank you maksim