[Javascript] CWE-348: Client supplied ip used in security check by yabeow · Pull Request #6864 · github/codeql

yabeow · 2021-10-13T07:17:00Z

Hi there,

This merge request ports these two similar queries to Javascript:

I also used local data flow to detect more sanitized cases in Javascript.

esbena · 2021-10-25T14:00:30Z

Thanks. This generally LGTM. I have a few suggestions for code quality improvements.
I think the source and sinks are a bit on the heuristic side, but I am happy to see them merged if they work well in practice.

(I trust that all of the learnings from the two other PRs have made it into this PR.)

esbena · 2021-10-25T13:51:46Z

+      node.asExpr().(MethodCallExpr).getMethodName() = "split" and
+      source = node and
+      not aa.getIndex().getIntValue() = 0 and
+      source.flowsTo(aa.getAChildExpr().flow())


getAChildExpr should generally not be used, but rather something like getIndex as seen above. What is being expressed in this final conjunct?

I used getAChildExpr to get the variable being indexed. I think this is the correct way to do this, do you have any other suggestions?

This is the AST tree of temp[temp.length - 1];

I see now, thanks for clarifying. We should just stick to the DataFlow library then. Something like the following should do the trick:

exists(DataFlow::MethodCallNode split, DataFlow::PropRead read | split = node and split.getMethodName() = "split" and // n.split(...) read = split.getAPropertyRead() // <n.split(...)>[...] not read.getPropertyNameExpr().getIntValue() = 0 and

Hi @esbena,

Sorry for the late reply, I have modified the isSanitizer part and it should look good now. Thanks for your awesome suggestions. Do you have a moment to take a look at it again?

Friendly ping! @esbena

@esbena Hey there!

Sorry about the delay. I'll take a look now.

esbena

Thank you, there's one http/HTTP casing mistake left to fix. I have started a final performance check of the query, I'll approve once it looks good.

…IpUsedInSecurityCheck.qhelp Co-authored-by: Esben Sparre Andreasen <esbena@github.com>

esbena · 2022-02-11T07:14:05Z

Have you run this query with vscode and viewed the results?
Queries with @kind path-problem must import PathGraph to output path explanations...

Example:

codeql/javascript/ql/src/Security/CWE-079/Xss.ql

Line 17 in 017183e

import DataFlow::PathGraph

esbena · 2022-05-09T13:38:03Z

Draft-stating the PR due to inactivity, but feel free to undraft when you have implemented the requested changes.

yabeow requested a review from a team as a code owner October 13, 2021 07:17

github-actions Bot added documentation JS labels Oct 13, 2021

asgerf requested a review from esbena October 25, 2021 12:40

esbena reviewed Oct 26, 2021

View reviewed changes

[Javascript] Add CWE-348 ClientSuppliedIpUsedInSecurityCheck

a818580

yabeow force-pushed the js/ClientSuppliedIpUsedInSecurityCheck branch from 9576171 to a818580 Compare November 15, 2021 07:13

esbena reviewed Nov 16, 2021

View reviewed changes

Comment thread javascript/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll Outdated

remove unnecessary imports

f0e5051

esbena reviewed Feb 10, 2022

View reviewed changes

Comment thread javascript/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qhelp Outdated

Update javascript/ql/src/experimental/Security/CWE-348/ClientSupplied…

addbeec

…IpUsedInSecurityCheck.qhelp Co-authored-by: Esben Sparre Andreasen <esbena@github.com>

esbena marked this pull request as draft May 9, 2022 13:38

Conversation

yabeow commented Oct 13, 2021

Uh oh!

esbena commented Oct 25, 2021

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

esbena Oct 25, 2021

Choose a reason for hiding this comment

Uh oh!

yabeow Oct 29, 2021

Choose a reason for hiding this comment

Uh oh!

esbena Oct 29, 2021

Choose a reason for hiding this comment

Uh oh!

yabeow Nov 15, 2021

Choose a reason for hiding this comment

Uh oh!

yabeow Nov 29, 2021

Choose a reason for hiding this comment

Uh oh!

yabeow Feb 9, 2022

Choose a reason for hiding this comment

Uh oh!

esbena Feb 10, 2022

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

esbena left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

esbena commented Feb 11, 2022

Uh oh!

esbena commented May 9, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants