Solved: How do I address "check_for_vulnerable_javascript_...

pwu_splunk · ‎01-28-2022

I'm trying to address the new "check_for_vulnerable_javascript_library_usage" check in AppInspect as it's required for apps to run in Splunk Cloud after February. However, I get results like:

3rd party CORS request may execute
parseHTML() executes scripts in event handlers
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

which doesn't really tell me how to proceed. Is there a way I can figure out what's actually causing these errors?

doc_holiday · ‎02-03-2022

I see you're a fellow splunk employee so let's do the back and forth over internal chat. Happy to post the resolution here once we arrive at a solution. If you hit any of the cloud vetting or prodsec channels I will see it.

Also, in future please use internal communication channels for anything related to prodsec.

ty!
-D

View solution in original post

jowenssi · ‎03-04-2022

This is sometimes caused by the behavior of AppInspect versions prior to 4.1.0. See this post for more info: https://community.splunk.com/t5/Developing-for-Splunk-Enterprise/Suggestions-on-how-we-can-upgrade-t...

sloshburch · ‎02-14-2022

If the common.js came from the Splunk Add-on Builder then you can ignore it for now. We're investigating false positives from that and we (Splunk) needs to provide a fix to either the check_for_vulnerable_javascript_library_usage or the code that Splunk Add-on Builder adds to your app.

doc_holiday · ‎02-03-2022

I see you're a fellow splunk employee so let's do the back and forth over internal chat. Happy to post the resolution here once we arrive at a solution. If you hit any of the cloud vetting or prodsec channels I will see it.

Also, in future please use internal communication channels for anything related to prodsec.

ty!
-D

sloshburch · ‎03-04-2022

Additional guidance at How to fix AppInspect check_for_vulnerable_javascript_library_usage from Add-on Builder content

pwu_splunk · ‎02-04-2022

We've moved this to internal discussion. Search "Alpha Kilo India" on Slack.

arjitg · ‎03-31-2022

Hi @pwu_splunk,

Even I am facing the same error with my app and inspite of upgrading the jquery in all my XML, I am still getting this issue.

Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Can you please suggest what was done to fix this error? I havent used Add on Builder as mine is an custom app.

Thanks,

Arjit.

sloshburch · ‎02-03-2022

Cross posting with Update jquery version which sounds like the same issue. I'm also hunting for some SMEs who can help.

richgalloway · ‎01-28-2022

This manual may help. https://dev.splunk.com/enterprise/docs/developapps/visualizedata/updatejquery/

---
If this reply helps you, Karma would be appreciated.

pwu_splunk · ‎01-28-2022

Unfortunately, this is in an app that's already been upgraded to jQuery 3.6.0. My guess is that there's some library in the app that uses copy-and-paste jQuery code without having it as an explicit dependency, and I don't really know how to figure out which offending library that is.

Also, the search strings aren't one-to-one with the offending strings, and I don't have visibility into the translation. Technically, as a Splunk employee, I can get access, but I'm filing this here to help non-Splunkers.

How do I address "check_for_vulnerable_javascript_library_usage" errors in AppInspect?

app

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?