文件下载-JavaScript中存储的XSS漏洞

Question

I have 3 types of files (XML, PDF, zip) that are stored in my server files and being send to user (client side) in base64 format by request (when the client clicks a button).
The files are download to users computer and not being displayed (on HTML page).

I made a security test with Checkmarx service and received security issue:
"Method function at line 58 of MyFile.js gets data from the database, for the readFileSync element. This element's value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in method function at line 58 of MyFile.js . This may enable a Stored Cross-Site-Scripting attack (XSS).".

The code on my server side is:

var fs = require('fs');

downloadFile: function (req, res) {
  var params = req.allParams();
  var contents = fs.readFileSync(FilePathInTheProject).toString('base64');
  res.send(contents);
},

I don't understand how server stored files that are not accessible from client side can enable a Stored Cross-Site-Scripting attack (XSS) ?

How can i verify the vulnerability existence ?

And what is the right way to solve this security issue ?

Answer 1

Checkmarx consider you take any contents from a source without any validation. So the data is not tainted for it and if you sent it to a client this could got to XSS.

This is right if we have the view without your explaination.

@Cilian Collins explaination is right. With this, you could just mark the issue as 'Not Exploitable' and next scan, this will be not show to you. Or If you have more time, you could extend the Cx rule to do it :)

Answer 2

You have to check who have access to the files stored on the file system. Are the files trustworthy? How did you prevent the access to these files? Can they be modified (script injection)? The DB or files on the file system should not be treated as source of trust worthy data by default. All data returned to the user should be validated.