Topic: Semgrep SAST marking class-name.js ln 38-41 as vulnerable (CWE-95)
Hello,
We recently implemented MDB5 into our ASP.NET MVC application's codebase. When we ran our security scans on it, using Semgrep SAST on GitLab, we received a vulnerability notice saying that mdb/perfect-scrollbar/lib/class-names.js:38-41 has the following vulnerability.
CWE-95: Improper neutralization of directives in dynamically evaluated code ('Eval Injection') Description: User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection.
We wanted to determine if this was a true positive, and if so, do you have a patch for it that would allow us to mark this vulnerability as resolved. Thanks so much in advance.
Please direct answers to this question to bdeal@fbi.gov.
Grzegorz Bujański staff answered 2 weeks ago
Hello,
I checked it to be sure and didn't find a place in the Perfect Scrollbar code where the eval()
function would be used.
The code that the error points to manages the component's CSS classes. You can check it here: https://github.com/mdbootstrap/perfect-scrollbar/blob/main/src/lib/class-names.js
FREE CONSULTATION
Hire our experts to build a dedicated project. We'll analyze your business requirements, for free.
Answered
- User: Pro
- Premium support: Yes
- Technology: MDB Standard
- MDB Version: MDB5 8.0.0
- Device: PC
- Browser: Chrome
- OS: Windows
- Provided sample code: No
- Provided link: No