on my web-application GitHub repository appeared a code scanning alert (DevSkim) and I don’t know if the alert is false positive and what I have to do in this special case.
The alert:
If untrusted data (data from HTTP requests, user submitted files, etc.) is included in an setTimeout statement it can allow an attacker to inject their own code.
My code:
function confirmForm(event) {
event.preventDefault();
const form = document.getElementById('Form');
const formData = new FormData(form);
fetch(form.getAttribute('action'), {
method: 'POST',
body: formData
})
.then(response => {
if (!response.ok) {
throw new Error('Network request was not OK!');
}
return response.json();
})
.then(data => {
displayNotification(data.status, data.message);
if (data.status === 'success') {
setTimeout(() => {
window.location.href = '/aktuell';
}, 500);
}
})
.catch(error => {
console.error('Error:', error);
displayNotification('error', 'An error happened. Try again later...');
});
}
(Just the part you need I think)
It also says: “Visit https://github.com/Microsoft/DevSkim/blob/main/guidance/DS172411.md for guidance on this issue.”
So my Question is if this alert is a security risk for the web-application or an user or if it is not exploitable in this case?
I tried to ask ChatGPT and read the DevSkim docs above. ChatGPT said that it is not a security risk but I don’t trust him. For me it’s very important to keep the website safe (because it’s for a big school newspaper) and I want to get a second opinion from real people.