Security Fix For Window.location.href

I have the below js code var a = window.location.href.substring(0,window.location.href.lastIndex('/')+1) + 'logout.jsp'; setTimeout(function(){ window.location.href = a; },1

Solution 1:

If I understand the logic correctly, you are trying to get the path of the url without the page name, and then you intend to redirect to it.

If that is correct, you might be able to get it to work using,

var a = "logout.jsp";

setTimeout(function(){
      window.location.href = a;
},1000);

It should in principal get rid of the vulnerability, but I am not fully sure if the tool detects any other vulnerability in it.

Solution 2:

I've found the following link... maybe it could help you:

https://security.stackexchange.com/questions/151806/jquery-js-dynamic-code-evaluation-code-injection-on-settimeout-line

It's a false positive.

Reporting false code injection vulnerabilities is a well-known problem with HP Fortify and has confused developers before. Fortify just does basic static analysis of the Javascript code and can't go arbitrarily deep to understand how it works. As @AlexanderOMara suggested, it just seems to discover the potentially dangerous setTimeout() function which can, as setInterval(), take a string argument that would be executed as code, just like eval() does. This the sort of vulnerability, the tool aims to discover:

setTimeout('alert(' + document.location.hash.split('#')[1] + ')', 0);

But in your case there is no user-supplied, unfiltered input to the setTimeout() function and it therefore looks safe. Leaving you with a great conclusion from the linked thread:

My advice is to stop running HP fortify reports. Or pay the five thousand, or whatever dollars to go to their classes so you could actually understand their malarkey.

Answered by Arminius.