vulnerabilities -ISSUE-Improper control of generation of code ('Code Injection')

Pandu Mangalawadkar — Wed, 28 May 2025 06:35:25 +0000

this is my code

import { useRef, useCallback, useEffect } from 'react';
import { getInactivityTimeout } from '../../sessionConfig';

const useInactivityLogout = () => {
const timerRef = useRef(null);
const eventHandlerSet = useRef(false);

const logout = useCallback(() => {
    // Clear access token for frontend logout
    sessionStorage.removeItem('access_token');
}, []);

const resetInactivityTimer = useCallback(() => {
    const now = Date.now();
    sessionStorage.setItem('lastActivityTime', now.toString());

    if (timerRef.current) {
        clearTimeout(timerRef.current);
    }

    // Defensive: Ensure getInactivityTimeout() returns a safe number
    const safeTimeout = Math.max(0, Number(getInactivityTimeout()) || 0);

    // Safe: setTimeout is used with a function, no string eval here
    timerRef.current = setTimeout(() => {
        const stored = sessionStorage.getItem('lastActivityTime');
        const storedTime = stored !== null && !Number.isNaN(stored) ? Number(stored) : null;

        // Defensive: Check inactivity and logout if necessary
        if (
            stored !== null &&
            storedTime !== null &&
            !Number.isNaN(storedTime) &&
            Date.now() - storedTime >= safeTimeout
        ) {
            logout();
        }
    }, safeTimeout);
}, [logout]);

const setupInactivityListeners = useCallback(() => {
    if (!eventHandlerSet.current) {
        const events = ['mousemove', 'keydown', 'click'];
        const activityHandler = () => resetInactivityTimer();

        events.forEach(event => window.addEventListener(event, activityHandler));

        eventHandlerSet.current = true;
        resetInactivityTimer();
    }
}, [resetInactivityTimer]);

useEffect(
    () => () => {
        if (timerRef.current) {
            clearTimeout(timerRef.current);
        }
    },
    []
);

return { setupInactivityListeners };

};

export default useInactivityLogout;

Note :The application was found calling the dangerous dynamic execution \nmethods with untrusted input. These functions can lead to code \ninjection, allowing attackers to execute arbitrary JavaScript \ncode, which may result in severe security risks such as remote \ncode execution (RCE) on the server or Cross-Site Scripting (XSS) \nin the browser (DOM XSS). Code injection occurs when untrusted \nuser input is passed directly to functions that execute code from \nstrings. When these vulnerable functions are used in client-side \ncode, they can lead to DOM-based XSS attacks, allowing attackers \nto inject and execute malicious scripts within the user's browser.\n\nTo remediate this issue, take the following measures:\n1. Avoid using dangerous functions with strings: Use safe alternatives \nby passing functions as arguments to setTimeout(), setInterval(), and\navoid using eval(), Function() and execScript().\n2. Sanitize user input: Sanitize untrusted inputs from the DOM or URL \nbefore using them in any context that may lead to code execution.\n3. Use safer alternatives: Replace innerHTML with textContent or \ninnerText when updating the DOM, and avoid passing user input to \neval()-like functions.\n4. Validate inputs: Ensure that user input is validated and conforms \nto expected data types and formats before processing it.\n\nSecure Code Example:\n

\nvar userInput = location.search.substring(1);\n\n// Safe: Using a function instead of a string for setTimeout\nsetTimeout(function() {\n console.log("User input: " + userInput); // Safe: No code execution\n}, 1000);\n

\n\nFor more information on why not to use eval, and alternatives see:\n- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!\n\nOther References:\n- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function\n- https://developer.mozilla.org/en-US/docs/Web/API/setTimeout\n- https://developer.mozilla.org/en-US/docs/Web/API/setInterval\n

DEV Community: Pandu Mangalawadkar

vulnerabilities -ISSUE-Improper control of generation of code ('Code Injection')