Giters

jquery-validation / jquery-validation

jQuery Validation Plugin library sources

Home Page:https://jqueryvalidation.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Fortify SCA: Race Condition

weirdyang opened this issue · comments

commented

jquery-validation/src/core.js

Line 46 in 98fbc5f

this.on( "submit.validate", function( event ) {

Hi,
this line of code was flagged in a recent Fortify SCA scan with the following warning:
The call to on() in jquery.validate.js sets a callback that could lead to a race condition.

Is this a valid security concern? I do not see how it might lead to a race condition as it's calling the handle function. Neither do I see any mention of it in the security advisories.

commented

No I don't think so, but if you have an example handler function in happy to reconsider

commented 
			this.on( "submit.validate", function( event ) {
				if ( validator.settings.debug ) {

					// Prevent form submit to be able to see console output
					event.preventDefault();
				}

				function handle() {
					var hidden, result;

					// Insert a hidden input as a replacement for the missing submit button
					// The hidden input is inserted in two cases:
					//   - A user defined a `submitHandler`
					//   - There was a pending request due to `remote` method and `stopRequest()`
					//     was called to submit the form in case it's valid
					if ( validator.submitButton && ( validator.settings.submitHandler || validator.formSubmitted ) ) {
						hidden = $( "<input type='hidden'/>" )
							.attr( "name", validator.submitButton.name )
							.val( $( validator.submitButton ).val() )
							.appendTo( validator.currentForm );
					}

					if ( validator.settings.submitHandler && !validator.settings.debug ) {
						result = validator.settings.submitHandler.call( validator, validator.currentForm, event );
						if ( hidden ) {

							// And clean up afterwards; thanks to no-block-scope, hidden can be referenced
							hidden.remove();
						}
						if ( result !== undefined ) {
							return result;
						}
						return false;
					}
					return true;
				}

				// Prevent submit for invalid forms or custom submit handlers
				if ( validator.cancelSubmit ) {
					validator.cancelSubmit = false;
					return handle();
				}
				if ( validator.form() ) {
					if ( validator.pendingRequest ) {
						validator.formSubmitted = true;
						return false;
					}
					return handle();
				} else {
					validator.focusInvalid();
					return false;
				}
			} );
		}

I don't see any handler function in the source code, and the handle method does not appear to be asynchronous.