Holiday Notice: Support will be provided on a limited scale from December 24th, 2024, to January 2nd, 2025. Happy holidays and a wonderful New Year!


Topic: Semgrep SAST marking class-name.js ln 38-41 as vulnerable (CWE-95)

NEIT Team priority asked 2 weeks ago


Hello,

We recently implemented MDB5 into our ASP.NET MVC application's codebase. When we ran our security scans on it, using Semgrep SAST on GitLab, we received a vulnerability notice saying that mdb/perfect-scrollbar/lib/class-names.js:38-41 has the following vulnerability.

CWE-95: Improper neutralization of directives in dynamically evaluated code ('Eval Injection') Description: User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection.

We wanted to determine if this was a true positive, and if so, do you have a patch for it that would allow us to mark this vulnerability as resolved. Thanks so much in advance.

Please direct answers to this question to bdeal@fbi.gov.


Grzegorz Bujański staff answered 2 weeks ago


Hello,

I checked it to be sure and didn't find a place in the Perfect Scrollbar code where the eval() function would be used.

The code that the error points to manages the component's CSS classes. You can check it here: https://github.com/mdbootstrap/perfect-scrollbar/blob/main/src/lib/class-names.js



Please insert min. 20 characters.

FREE CONSULTATION

Hire our experts to build a dedicated project. We'll analyze your business requirements, for free.

Status

Answered

Specification of the issue

  • ForumUser: Priority
  • Premium support: Yes
  • Technology: MDB Standard
  • MDB Version: MDB5 8.0.0
  • Device: PC
  • Browser: Chrome
  • OS: Windows
  • Provided sample code: No
  • Provided link: No