JS: promote the js/missing-origin-verification query#8724
Conversation
|
The evaluation looks about as expected. No performance regression, but lots of new results. |
| result = | ||
| origin(t.continue(), handler) | ||
| .getAMethodCall([ | ||
| "toString", "toLowerCase", "toUpperCase", "toLocaleLowerCase", "toLocaleUpperCase" |
There was a problem hiding this comment.
Not relevant for this PR:
"toLocaleLowerCase", "toLocaleUpperCase"
Hmm. I would consider it a bug to use those instead of the canonical to(Lower|Upper)Case calls, but perhaps the programmers are saved by the fact that all browser origins normalizes the same way regardless of locales.
There was a problem hiding this comment.
Hmm. I would consider it a bug to use those instead of the canonical to(Lower|Upper)Case calls
It would definitely be weird to use the Locale variants of those methods.
I mainly included them because Copilot suggested them.
| } | ||
|
|
||
| /** Holds if there exists a check of the .origin or .source of the postmessage `handler`. */ | ||
| predicate hasOriginCheck(PostMessageHandler handler) { |
There was a problem hiding this comment.
I expected to see various startsWith and endsWith variants here. They can be sufficient if done correctly, if they are done incorrectly, we could flag them with a separate query.
Did you see any FPs due to not recognizing such checks?
There was a problem hiding this comment.
Did you see any FPs due to not recognizing such checks?
I went through the example results, and there was indeed an FP related to startsWith: https://lgtm.com/query/4833361159564412520/
I'll get StartsWith/EndsWith in there.
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
|
👋🏻 - I'll try to review this later today. Sorry for the delay, the team is understaffed this week 😢 |
mchammer01
left a comment
There was a problem hiding this comment.
@erik-krogh - this LGTM ✨
A few editorial comments/suggestions for your consideration.
I believe that you do not need to add the MITRE CWE link at the end of the References section in the qhelp file as this is done automatically behind the scenes from the tags specified in the ql file.
Approving this so I am not blocking you.
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
| * An equality test on `e.origin` or `e.source` where `e` is a `postMessage` event object, | ||
| * considered as a sanitizer for `e`. | ||
| */ | ||
| private class PostMessageEventSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode { |
Check warning
Code scanning / CodeQL
Using implicit `this`
|
|
||
| PostMessageEventSanitizer() { | ||
| exists(string prop | prop = "origin" or prop = "source" | | ||
| astNode.getAnOperand().(PropAccess).accesses(event, prop) and |
Check warning
Code scanning / CodeQL
Using implicit `this`
| exists(string prop | prop = "origin" or prop = "source" | | ||
| astNode.getAnOperand().(PropAccess).accesses(event, prop) and | ||
| event.mayReferToParameter(any(PostMessageEventHandler h).getEventParameter()) | ||
| event.mayReferToParameter(any(PostMessageEventHandler h).getEventParameter()) and |
Check warning
Code scanning / CodeQL
Using implicit `this`
| test.getAnOperand().flow() = read | ||
| ) | ||
| or | ||
| exists(InclusionTest test | polarity = test.getPolarity() and this = test | |
Check warning
Code scanning / CodeQL
Using implicit `this`
|
|
||
| override predicate sanitizes(boolean outcome, Expr e) { | ||
| outcome = astNode.getPolarity() and | ||
| outcome = polarity and |
Check warning
Code scanning / CodeQL
Using implicit `this`
Check warning
Code scanning / CodeQL
Using implicit `this`
Check warning
Code scanning / CodeQL
Using implicit `this`
Check warning
Code scanning / CodeQL
Using implicit `this`
Check warning
Code scanning / CodeQL
Using implicit `this`
Check warning
Code scanning / CodeQL
Using implicit `this`
mchammer01
left a comment
There was a problem hiding this comment.
LGTM, thanks for addressing my comments ✨
Sorry, added a minor suggestion as there were missing words in a sentence that I seem to have missed during my first review 😞
|
|
||
| <p> | ||
| The example is fixed below, where the origin is checked to be trusted. | ||
| It is therefore not possible for a malicious user to attack using an untrusted origin. |
There was a problem hiding this comment.
| It is therefore not possible for a malicious user to attack using an untrusted origin. | |
| It is therefore not possible for a malicious user to raise an attack using an untrusted origin. |
There was a problem hiding this comment.
Hmmm. I'm not fond the the raise an addition.
How about perform an instead?
There was a problem hiding this comment.
Perform an attack is absolutely fine 👍🏻
CVE-2022-24762: TP/TN
We already treat the data from a "message" event as a
RemoteFlowSource.However, sometimes there might be a security issue related to the "message" event that we don't flag.
For these reasons it can be a good idea to flag all "message" events that have no origin check.
I've placed it as a medium precision warning query, so it is not enabled by default.
Here are some example results.
I organized the tests in
CWE-020into subfolders because it was starting to be hard to keep track of them.I did a drive-by addition to
PostMessageEventSanitizer, such that it now recognizes inclusion-tests.Evaluation will come later when DCA starts working again.