Hi Aleks, SonarQube used to throw lots of warnings on GWT generated code. Upgrading to version 6.3 was enough to get rid of most warnings (there are no miracles, sometimes I get a warning or two when analyzing an app that had just a minor change in the Java code)
Hope this helps, Rodolfo On Thu, Nov 23, 2017 at 11:13 PM Aleks <[email protected]> wrote: > Hi, > > we are currently going through a security audit and as part of that doing > static code scans. The scanner has returned two issues with the > GWT-generated <module>.nocache.js files. > > We can't really fix these as they are generated, but were hoping we could > challenge them if we had a good explanation or some "official" GWT resource > suggesting the code is actually safe. > I have found some previous posts on similar or same issues, but was hoping > I could get a response more relevant to the version we are using (*2.8.1*) > or an official resource (perhaps results of other scans/security audits?). > > > Below are the two issues with explanations and the code lines. > > *1. Cross Site Scripting* > > *Description: *The method f() in <module>.nocache.js sends unvalidated > data to a web browser on line 13, which can result in the browser executing > malicious code.Sending unvalidated data to a web browser can result in the > browser executing malicious code. > > *Code: *function f(a){if(a.match(/^\w+:\/\//)){}else{var > b=r.createElement(Gb);b.src=a+Hb;a=e(b.src)}return a} > > *2. Dynamic Code Evaluation - Code Injection* > > *Description: *The file webadmin.nocache.js interprets unvalidated user > input as source code on line 15. Interpreting user-controlled instructions > at run-time can allow attackers to execute malicious code.Interpreting > user-controlled instructions at run-time can allow attackers to execute > malicious code. > > *Code*: > if(m.addEventListener){m.addEventListener($b,function(){H();M()},false)}var > L=setInterval(function(){if(/loaded|complete/.test(m.readyState)){H();M()}},50);n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Q,millis:(new > Date).getTime(),type:W});n&&n({moduleName:O,sessionId:o,subSystem:P,evtGroup:Nb,millis:(new > Date).getTime(),type:R});m.write(_b)} > > > Thanks for your help! > > -- > You received this message because you are subscribed to the Google Groups > "GWT Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/google-web-toolkit. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/d/optout.
