Skip to content

JS: Add Permissive CORS query (CWE-942) #14342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
erik-krogh merged 31 commits into from
Jun 28, 2024
Merged

JS: Add Permissive CORS query (CWE-942) #14342

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
e171123
Add initial query for CWE-942
maikypedia Sep 29, 2023
142ab01
Remove comment line
maikypedia Sep 29, 2023
816eebb
Add `.qhelp` and apply some review changes
maikypedia Oct 2, 2023
ed06628
Add documentation string for `CorsPermissiveConfiguration`
maikypedia Oct 6, 2023
c0e6d7c
Merge branch 'github:main' into maikypedia/javascript-cors
maikypedia Oct 11, 2023
07ad596
Add coverage for `express`
maikypedia Oct 16, 2023
acac534
Forgot `.js`
maikypedia Oct 16, 2023
d661f7f
Add Flow Labels
maikypedia Nov 22, 2023
413c111
Move to `/experimental`
maikypedia Nov 23, 2023
abd53e9
Fix minor issues
maikypedia Nov 23, 2023
4ef4c92
Move Customizations and Query
maikypedia Nov 23, 2023
aa24ce5
Apply suggestions from code review
maikypedia Nov 27, 2023
bb6ef72
`getArgument` returns `Cors::Cors`
maikypedia Nov 27, 2023
f623db4
Change qldoc
maikypedia Nov 27, 2023
3bcb411
Using `Express::RouteSetup`
maikypedia Nov 27, 2023
6a3cdc9
Add `change-node`
maikypedia Nov 27, 2023
e6c7fc0
Fixes CI
maikypedia Nov 29, 2023
83cbbd7
Apply docstring changes
maikypedia Dec 5, 2023
87cac2a
Express Argument has to be Cors
maikypedia Dec 7, 2023
4f68f60
Apply review
maikypedia Dec 18, 2023
191766a
Use `config.getCorsConfiguration().getOrigin())`
maikypedia Dec 18, 2023
7662b2b
format
maikypedia Dec 19, 2023
78e7793
Move to experimental
maikypedia Jan 9, 2024
699d8d4
x
maikypedia Mar 7, 2024
c1fd7a6
autoformat
erik-krogh Mar 12, 2024
f2d6640
fix ambiguous import. It could refer both to a module or a file
erik-krogh Mar 12, 2024
cfd7c7a
move change-note to `javascript/ql/src/change-notes`
maikypedia May 27, 2024
e96c3a3
Move `Apollo` to experimental
maikypedia May 27, 2024
4be5cf4
Update javascript/ql/src/experimental/Security/CWE-942/CorsPermissive…
maikypedia Jun 12, 2024
8ba7ac6
Update javascript/ql/src/experimental/Security/CWE-942/CorsPermissive…
maikypedia Jun 12, 2024
d0cf2a9
Merge branch 'main' into maikypedia/javascript-cors
maikypedia Jun 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions javascript/ql/lib/javascript.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ import semmle.javascript.frameworks.ActionsLib
import semmle.javascript.frameworks.Angular2
import semmle.javascript.frameworks.AngularJS
import semmle.javascript.frameworks.Anser
import semmle.javascript.frameworks.ApolloGraphQL
import semmle.javascript.frameworks.AsyncPackage
import semmle.javascript.frameworks.AWS
import semmle.javascript.frameworks.Azure
Expand Down
56 changes: 56 additions & 0 deletions javascript/ql/lib/semmle/javascript/frameworks/ApolloGraphQL.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/**
* Provides classes for working with Apollo GraphQL connectors.
*/

import javascript

/** Provides classes modeling concepts of Apollo GraphQL. */
module ApolloGraphQL {
/** A string-valued expression that is interpreted as a Apollo GraphQL query. */
abstract class GraphQLString extends DataFlow::Node { }
Comment thread
maikypedia marked this conversation as resolved.
Outdated

/** A string-valued expression that is interpreted as a Apollo GraphQL query. */
abstract class ApolloGraphQLServer extends DataFlow::Node { }
Comment thread
maikypedia marked this conversation as resolved.
Outdated
}

/**
* Provides classes modeling the apollo packages [@apollo/server](https://npmjs.com/package/@apollo/server`)
*/
private module Apollo {
Comment thread
maikypedia marked this conversation as resolved.
Outdated
/** Get an instanceof of `Apollo` */
private API::Node apollo() {
result =
API::moduleImport([
"@apollo/server", "apollo/server", "@apollo/apollo-server-express",
Comment thread
maikypedia marked this conversation as resolved.
Outdated
"@apollo/apollo-server-core", "apollo-server", "apollo-server-express"
]).getMember("ApolloServer")
}

/** Get an instanceof of `gql` */
private API::Node gql() {
Comment thread
maikypedia marked this conversation as resolved.
Outdated
result =
API::moduleImport([
"@apollo/server", "apollo/server", "@apollo/apollo-server-express",
"@apollo/apollo-server-core", "apollo-server", "apollo-server-express"
Comment thread
maikypedia marked this conversation as resolved.
Outdated
]).getMember("gql")
}

/** A string that is interpreted as a GraphQL query by a `octokit` package. */
private class ApolloGraphQLString extends GraphQL::GraphQLString {
ApolloGraphQLString() { this = gql().getACall() }
}
Copy link
Copy Markdown
Contributor

@erik-krogh erik-krogh Oct 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GraphQL::GraphQLString is "A string-valued expression that is interpreted as a GraphQL query".

In this case the gql function has as input a string, and the output is an object.
So you need to flag the string given to the gql function as aGraphQLString instead of the return value.

Also, a test of this would be nice.
A GraphQLString is a sink for js/sql-injection, so you can add a test to that existing query.

Copy link
Copy Markdown
Contributor Author

@maikypedia maikypedia Oct 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Erik 😄 ! That part is not finished because I wanted to ask how it could be done because I couldn't get it to work. I don't know why using .getACall().getArgument(0) works with execFile and not with gql. Any ideas?

const { execFile } = require("child_process");
const { ApolloServer, gql } = require("apollo-server");

execFile("whoami"); 

const typeDefs = gql`
  type Query {
    hello: String
  }
`;

Copy link
Copy Markdown
Contributor

@erik-krogh erik-krogh Oct 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, tagged template strings are not currently seen as calls in our analysis, and you're not the only one that's noticed this limitation recently.
The proper fix is to get tagged template strings added to DataFlow::CallNode (which involves adding a new case in DataFlow.qll that extends CallNodeDef).

Your use with API-graphs should just magically work after tagged template strings are added as DataFlow::CallNodes.

I'll look into fixing that limitation of our analysis later, but it might take a while before I get started on that.

If you're feeling adventurous you can try it yourself (that would definitely belong in a separate PR).

Copy link
Copy Markdown
Contributor

@erik-krogh erik-krogh Oct 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just opened a PR to recognize tagged template literals as a DataFlow::CallNode: #14405

I suggest you take a look at that PR and incorporate it into your PR after my PR has been merged.
There is no rush, so just wait until my PR has been merged.

Copy link
Copy Markdown
Contributor Author

@maikypedia maikypedia Oct 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! Thanks :) 👍

Copy link
Copy Markdown
Contributor

@erik-krogh erik-krogh Oct 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#14405 has been merged, so you can incorporate that into this PR.


/** A string that is interpreted as a GraphQL query by a `graphql` package. */
private class ApolloServer extends ApolloGraphQL::ApolloGraphQLServer {
Comment thread
maikypedia marked this conversation as resolved.
Outdated
ApolloServer() { this = apollo().getAnInstantiation() }

predicate isPermissive() {
Copy link
Copy Markdown
Contributor

@erik-krogh erik-krogh Oct 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This predicate is never used.

this.(DataFlow::NewNode)
.getOptionArgument(0, "cors")
.getALocalSource()
.getAPropertyWrite("origin")
.getRhs()
.mayHaveBooleanValue(true)
}
}
}
50 changes: 50 additions & 0 deletions .../ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
/**
* Provides default sources, sinks and sanitizers for reasoning about
* overly permissive CORS configurations, as well as
* extension points for adding your own.
*/

import javascript

module CorsPermissiveConfiguration {
Comment thread
maikypedia marked this conversation as resolved.
Outdated
/**
* A data flow source for permissive CORS configuration.
*/
abstract class Source extends DataFlow::Node { }

/**
* A data flow sink for permissive CORS configuration.
*/
abstract class Sink extends DataFlow::Node { }

/**
* A sanitizer for permissive CORS configuration.
*/
abstract class Sanitizer extends DataFlow::Node { }

/** A source of remote user input, considered as a flow source for CORS misconfiguration. */
class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
}

/** true and null are considered bad values */
Comment thread Fixed
class BadValues extends Source instanceof DataFlow::Node {
Copy link
Copy Markdown
Contributor

@erik-krogh erik-krogh Oct 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
class BadValues extends Source instanceof DataFlow::Node {
class BadValues extends Source {

Adding DataFlow::Node should make no difference here.

BadValues() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral }
}

/**
* The value of cors origin when initializing the application.
*/
class CorsApolloServer extends Sink, DataFlow::ValueNode {
CorsApolloServer() {
exists(ApolloGraphQL::ApolloGraphQLServer agql |
this =
agql.(DataFlow::NewNode)
.getOptionArgument(0, "cors")
.getALocalSource()
.getAPropertyWrite("origin")
.getRhs()
)
}
}
}
28 changes: 28 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/**
* Provides a dataflow taint tracking configuration for reasoning
* about overly permissive CORS configurations.
*
* Note, for performance reasons: only import this file if
* `CorsPermissiveConfiguration::Configuration` is needed,
* otherwise `CorsPermissiveConfigurationCustomizations` should
* be imported instead.
*/

import javascript
import CorsPermissiveConfigurationCustomizations::CorsPermissiveConfiguration

/**
* A data flow configuration for overly permissive CORS configuration.
*/
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "CorsPermissiveConfiguration" }

override predicate isSource(DataFlow::Node source) { source instanceof Source }

override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
node instanceof Sanitizer
}
}
20 changes: 20 additions & 0 deletions javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/**
Comment thread
maikypedia marked this conversation as resolved.
Outdated
* @name overly CORS configuration
* @description Misconfiguration of CORS HTTP headers allows CSRF attacks.
* @kind path-problem
* @problem.severity error
* @security-severity 7.5
* @precision high
* @id js/cors-misconfiguration
* @tags security
* external/cwe/cwe-942
*/

import javascript
import semmle.javascript.security.dataflow.CorsPermissiveConfigurationQuery
import DataFlow::PathGraph

from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ misconfiguration due to a $@.", sink.getNode(),
Comment thread Fixed
"CORS Origin", source.getNode(), "too permissive or user controlled value"
Comment thread
maikypedia marked this conversation as resolved.
Outdated
39 changes: 39 additions & 0 deletions javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
nodes
| tst.js:8:9:8:59 | user_origin |
| tst.js:8:23:8:46 | url.par ... , true) |
| tst.js:8:23:8:52 | url.par ... ).query |
| tst.js:8:23:8:59 | url.par ... .origin |
| tst.js:8:33:8:39 | req.url |
| tst.js:8:33:8:39 | req.url |
| tst.js:8:42:8:45 | true |
| tst.js:8:42:8:45 | true |
| tst.js:11:25:11:28 | true |
| tst.js:11:25:11:28 | true |
| tst.js:11:25:11:28 | true |
| tst.js:16:25:16:28 | true |
| tst.js:16:25:16:28 | true |
| tst.js:16:25:16:28 | true |
| tst.js:26:25:26:28 | null |
| tst.js:26:25:26:28 | null |
| tst.js:26:25:26:28 | null |
| tst.js:31:25:31:35 | user_origin |
| tst.js:31:25:31:35 | user_origin |
edges
| tst.js:8:9:8:59 | user_origin | tst.js:31:25:31:35 | user_origin |
| tst.js:8:9:8:59 | user_origin | tst.js:31:25:31:35 | user_origin |
| tst.js:8:23:8:46 | url.par ... , true) | tst.js:8:23:8:52 | url.par ... ).query |
| tst.js:8:23:8:52 | url.par ... ).query | tst.js:8:23:8:59 | url.par ... .origin |
| tst.js:8:23:8:59 | url.par ... .origin | tst.js:8:9:8:59 | user_origin |
| tst.js:8:33:8:39 | req.url | tst.js:8:23:8:46 | url.par ... , true) |
| tst.js:8:33:8:39 | req.url | tst.js:8:23:8:46 | url.par ... , true) |
| tst.js:8:42:8:45 | true | tst.js:8:23:8:46 | url.par ... , true) |
| tst.js:8:42:8:45 | true | tst.js:8:23:8:46 | url.par ... , true) |
| tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true |
| tst.js:16:25:16:28 | true | tst.js:16:25:16:28 | true |
| tst.js:26:25:26:28 | null | tst.js:26:25:26:28 | null |
#select
| tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true | $@ misconfiguration due to a $@. | tst.js:11:25:11:28 | true | CORS Origin | tst.js:11:25:11:28 | true | too permissive or user controlled value |
| tst.js:16:25:16:28 | true | tst.js:16:25:16:28 | true | tst.js:16:25:16:28 | true | $@ misconfiguration due to a $@. | tst.js:16:25:16:28 | true | CORS Origin | tst.js:16:25:16:28 | true | too permissive or user controlled value |
| tst.js:26:25:26:28 | null | tst.js:26:25:26:28 | null | tst.js:26:25:26:28 | null | $@ misconfiguration due to a $@. | tst.js:26:25:26:28 | null | CORS Origin | tst.js:26:25:26:28 | null | too permissive or user controlled value |
| tst.js:31:25:31:35 | user_origin | tst.js:8:33:8:39 | req.url | tst.js:31:25:31:35 | user_origin | $@ misconfiguration due to a $@. | tst.js:31:25:31:35 | user_origin | CORS Origin | tst.js:8:33:8:39 | req.url | too permissive or user controlled value |
| tst.js:31:25:31:35 | user_origin | tst.js:8:42:8:45 | true | tst.js:31:25:31:35 | user_origin | $@ misconfiguration due to a $@. | tst.js:31:25:31:35 | user_origin | CORS Origin | tst.js:8:42:8:45 | true | too permissive or user controlled value |
1 change: 1 addition & 0 deletions javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Security/CWE-942/CorsPermissiveConfiguration.ql
33 changes: 33 additions & 0 deletions javascript/ql/test/query-tests/Security/CWE-942/tst.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
import { ApolloServer } from 'apollo-server';
var https = require('https'),
url = require('url');

var server = https.createServer(function () { });

server.on('request', function (req, res) {
let user_origin = url.parse(req.url, true).query.origin;
// BAD: attacker can choose the value of origin
const server_1 = new ApolloServer({
cors: { origin: true }
});

// BAD: CORS too permissive
const server_2 = new ApolloServer({
cors: { origin: true }
});

// GOOD: restrictive CORS
const server_3 = new ApolloServer({
cors: false
});

// BAD: CORS too permissive
const server_4 = new ApolloServer({
cors: { origin: null }
});

// BAD: CORS is controlled by user
const server_5 = new ApolloServer({
cors: { origin: user_origin }
});
});