I have the below js code
var a = window.location.href.substring(0,window.location.href.lastIndex('/')+1) + "logout.jsp";
setTimeout(function(){
window.location.href = a;
},1000);
When I am running a fortify scan for the above file, it is showing a security risk on the above line with Dynamic Code Evaluation :Code Injection. Now I am not able to understand on how to fix it. Do I need to add any encoder for window.href or how to resolve this. Also if we have encode , what I need to do.
On
I've found the following link... maybe it could help you:
It's a false positive.
Reporting false code injection vulnerabilities is a well-known problem with HP Fortify and has confused developers before. Fortify just does basic static analysis of the Javascript code and can't go arbitrarily deep to understand how it works. As @AlexanderOMara suggested, it just seems to discover the potentially dangerous
setTimeout()function which can, assetInterval(), take a string argument that would be executed as code, just likeeval()does. This the sort of vulnerability, the tool aims to discover:setTimeout('alert(' + document.location.hash.split('#')[1] + ')', 0);But in your case there is no user-supplied, unfiltered input to the
setTimeout()function and it therefore looks safe. Leaving you with a great conclusion from the linked thread:My advice is to stop running HP fortify reports. Or pay the five thousand, or whatever dollars to go to their classes so you could actually understand their malarkey.
Answered by Arminius.
If I understand the logic correctly, you are trying to get the path of the url without the page name, and then you intend to redirect to it.
If that is correct, you might be able to get it to work using,
It should in principal get rid of the vulnerability, but I am not fully sure if the tool detects any other vulnerability in it.