Splunk Dev

How do I address "check_for_vulnerable_javascript_library_usage" errors in AppInspect?

pwu_splunk
Splunk Employee
Splunk Employee

I'm trying to address the new "check_for_vulnerable_javascript_library_usage" check in AppInspect as it's required for apps to run in Splunk Cloud after February. However, I get results like:

3rd party CORS request may execute

parseHTML() executes scripts in event handlers

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

 which doesn't really tell me how to proceed. Is there a way I can figure out what's actually causing these errors?

Labels (2)
0 Karma
1 Solution

doc_holiday
Splunk Employee
Splunk Employee

I see you're a fellow splunk employee so let's do the back and forth over internal chat. Happy to post the resolution here once we arrive at a solution. If you hit any of the cloud vetting or prodsec channels I will see it.

Also, in future please use internal communication channels for anything related to prodsec. 

ty! 
-D

View solution in original post

jowenssi
Path Finder

This is sometimes caused by the behavior of AppInspect versions prior to 4.1.0.  See this post for more info: https://community.splunk.com/t5/Developing-for-Splunk-Enterprise/Suggestions-on-how-we-can-upgrade-t...

0 Karma

sloshburch
Splunk Employee
Splunk Employee

If the common.js came from the Splunk Add-on Builder then you can ignore it for now. We're investigating false positives from that and we (Splunk) needs to provide a fix to either the check_for_vulnerable_javascript_library_usage or the code that Splunk Add-on Builder adds to your app.

doc_holiday
Splunk Employee
Splunk Employee

I see you're a fellow splunk employee so let's do the back and forth over internal chat. Happy to post the resolution here once we arrive at a solution. If you hit any of the cloud vetting or prodsec channels I will see it.

Also, in future please use internal communication channels for anything related to prodsec. 

ty! 
-D

pwu_splunk
Splunk Employee
Splunk Employee

We've moved this to internal discussion. Search "Alpha Kilo India" on Slack.

0 Karma

arjitg
Explorer

Hi @pwu_splunk, 

Even I am facing the same error with my app and inspite of upgrading the jquery in all my XML, I am still getting this issue. 

  • Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
    Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Can you please suggest what was done to fix this error? I havent used Add on Builder as mine is an custom app.

Thanks,

Arjit.  

 

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Cross posting with Update jquery version which sounds like the same issue. I'm also hunting for some SMEs who can help.

richgalloway
SplunkTrust
SplunkTrust

This manual may help.  https://dev.splunk.com/enterprise/docs/developapps/visualizedata/updatejquery/

---
If this reply helps you, Karma would be appreciated.
0 Karma

pwu_splunk
Splunk Employee
Splunk Employee

Unfortunately, this is in an app that's already been upgraded to jQuery 3.6.0. My guess is that there's some library in the app that uses copy-and-paste jQuery code without having it as an explicit dependency, and I don't really know how to figure out which offending library that is.

Also, the search strings aren't one-to-one with the offending strings, and I don't have visibility into the translation. Technically, as a Splunk employee, I can get access, but I'm filing this here to help non-Splunkers.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...