Fortify SCA: Race Condition
weirdyang opened this issue · comments
Line 46 in 98fbc5f
Hi,
this line of code was flagged in a recent Fortify SCA scan with the following warning:
The call to on() in jquery.validate.js sets a callback that could lead to a race condition.
Is this a valid security concern? I do not see how it might lead to a race condition as it's calling the handle function. Neither do I see any mention of it in the security advisories.
No I don't think so, but if you have an example handler function in happy to reconsider
this.on( "submit.validate", function( event ) {
if ( validator.settings.debug ) {
// Prevent form submit to be able to see console output
event.preventDefault();
}
function handle() {
var hidden, result;
// Insert a hidden input as a replacement for the missing submit button
// The hidden input is inserted in two cases:
// - A user defined a `submitHandler`
// - There was a pending request due to `remote` method and `stopRequest()`
// was called to submit the form in case it's valid
if ( validator.submitButton && ( validator.settings.submitHandler || validator.formSubmitted ) ) {
hidden = $( "<input type='hidden'/>" )
.attr( "name", validator.submitButton.name )
.val( $( validator.submitButton ).val() )
.appendTo( validator.currentForm );
}
if ( validator.settings.submitHandler && !validator.settings.debug ) {
result = validator.settings.submitHandler.call( validator, validator.currentForm, event );
if ( hidden ) {
// And clean up afterwards; thanks to no-block-scope, hidden can be referenced
hidden.remove();
}
if ( result !== undefined ) {
return result;
}
return false;
}
return true;
}
// Prevent submit for invalid forms or custom submit handlers
if ( validator.cancelSubmit ) {
validator.cancelSubmit = false;
return handle();
}
if ( validator.form() ) {
if ( validator.pendingRequest ) {
validator.formSubmitted = true;
return false;
}
return handle();
} else {
validator.focusInvalid();
return false;
}
} );
}
I don't see any handler function in the source code, and the handle
method does not appear to be asynchronous.