CheckMarx is giving the variable should be sanitized and validated

Question

We have below code in nodejs

int i = _.get(req.body, "i")
res.send(i);

When checkmarx finds above code, it says i should be sanitized and validated. Can anyone please help on how to resolve this issue?

Thanks in advance

Answer 1

int i = _.get(req.body, "i") res.send(i);
Issue : 
Here you are setting your response fetching value from request body, which embeds untrusted data in the generated output with send. This untrusted data is embedded straight into the output without proper sanitization.

Solution :
Sanitize request body attributes before setting it to response
requestSanitizer.setOptions({
    body :{
        name : [validator.escape,validator.ltrim],
        test : [validator.ltrim]
    }
});

you must first import these packages : 
var requestSanitizer = require('request-sanitizer')();
var validator = requestSanitizer.validator;

and then finally set requestSanitizer  as an additional param to API call

Answer 2

If you meant this:

int i = _.get(req.body, "i");
res.send(i);

Then it seems Checkmarx managed to find a Reflected XSS vulnerabilty.

When you get untrusted input in a request from a user it may contain a malicious script that might be sent in the response and run on the client side. This is called Reflected Cross Site Scripting (XSS).

Prevention depends on many factors. OWASP wrote a pretty good guide: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet