Fix checkmarx vulnerability

Question

Fix checkmarx vulnerability

finbargp opened this issue 4 months ago · comments

Finbar Clenaghan (G-P) commented 4 months ago

Apologies if this has been reported before, but I couldn't find it. I'm using v2.11 of sanitize-html

To Reproduce

When I attempt to commit any change to my package.json in IntelliJ I get the following warning, which I have to override each time:

Dependency npm:sanitize-html:2.11.0 is vulnerable Cx24228ad1-81fd 6.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability Results powered by Checkmarx(c)

Link to issue: https://devhub.checkmarx.com/cve-details/Cx24228ad1-81fd/

Expected behavior

There should not be a checkmarx vulnerability like this in sanitize-html.

Describe the bug

Checkmarx vulnerability.

Details

Version of Node.js:
v18.17.1

Server Operating System:
MacOS X

Tom Boutell · Answer 1 · Thu Feb 22 2024 01:20:19 GMT+0800 (China Standard Time)

Thanks for reporting this, but the vulnerability page in question is very much not accurate.

Only a developer can pass allowedTags, therefore it is not a "network" vulnerability and it certainly is not "privileges required: none."

A person who can change the non-user-input parameters to sanitize-html is a developer, i.e. they can just bypass it completely, not invoke sanitize-html at all, etc. This is not a real vulnerability. If you look at the original issue linked on that page, it's a developer suggesting that the option could be checked for its type, which was actually added for those using typescript. It has nothing to do with any actual security vulnerability.

It's unfortunate that checkmarx seems to provide no way to get in contact regarding these pages, however I have filled out their sales contact form and will try to reach a human to get this removed.

All that said, I do appreciate your concern and your report. I just can't fix a vulnerability that does not exist. I'll do my best to get checkmarx to remove this inaccurate report.

Tom Boutell · Answer 2 · Thu Feb 22 2024 01:21:16 GMT+0800 (China Standard Time)

(If you have a means of getting checkmarx' attention, I would appreciate being put in contact - happy to help get this off your plate by getting the inaccurate report corrected.)

Finbar Clenaghan (G-P) · Answer 3 · Thu Feb 22 2024 17:03:57 GMT+0800 (China Standard Time)

OK thanks for your response and confirming this isn't a real vulnerability. I don't have any means of getting checkmarx' attention. I appreciate it if you're able to get checkmarx to close this so sanitize-html doesn't show up as vulnerable in our IDEs etc.

Tom Boutell · Answer 4 · Fri Feb 23 2024 01:34:27 GMT+0800 (China Standard Time)

I reached out to them on twitter and was asked to DM, so I've done that, and we'll see. Thanks for your understanding.

…

On Thu, Feb 22, 2024 at 4:04 AM Finbar Clenaghan (G-P) < ***@***.***> wrote: OK thanks for your response and confirming this isn't a real vulnerability. I don't have any means of getting checkmarx' attention. I appreciate it if you're able to get checkmarx to close this so sanitize-html doesn't show up as vulnerable in our IDEs etc. — Reply to this email directly, view it on GitHub <#648 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAH27O4KLESRWLC4KCPUHDYU4CYRAVCNFSM6AAAAABDRMGN3CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJYHE4TINBXGQ> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

-- THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

Tom Boutell · Answer 5 · Fri Mar 01 2024 01:27:05 GMT+0800 (China Standard Time)

Good news: today they followed up and removed the vulnerability.

Finbar Clenaghan (G-P) · Answer 6 · Fri Mar 01 2024 19:00:35 GMT+0800 (China Standard Time)

That's great news @boutell - thanks for following up on this!