adding suggestion that removes sanitizer for unknown base urls

2026-04-30 03:05:15 +02:00 · 2021-09-27 17:37:36 -03:00
parent 1f2618b893
commit 1fc58e51a3
1 changed files with 15 additions and 1 deletions
--- a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll
+++ b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll
@@ -14,8 +14,22 @@ class Configuration extends TaintTracking::Configuration {
    node instanceof RequestForgery::Sanitizer
  }

+  private predicate hasSanitizingSubstring(DataFlow::Node nd) {
+    nd.getStringValue().regexpMatch(".*[?#].*")
+    or
+    hasSanitizingSubstring(StringConcatenation::getAnOperand(nd))
+    or
+    hasSanitizingSubstring(nd.getAPredecessor())
+  }
+  
+  private predicate strictSanitizingPrefixEdge(DataFlow::Node source, DataFlow::Node sink) {
+    exists(DataFlow::Node operator, int n |
+      StringConcatenation::taintStep(source, sink, operator, n) and
+      hasSanitizingSubstring(StringConcatenation::getOperand(operator, [0 .. n - 1]))
+    )
+  }
  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    sanitizingPrefixEdge(source, sink)
+    strictSanitizingPrefixEdge(source, sink)
  }

  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) {