hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Split out "compromised" functionality

Browse Source
This commit is contained in:
aegilops
2024-07-08 10:56:12 +01:00
parent e2b37f97b0
commit 1fe14e26b1
2 changed files with 26 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
javascript/ql/lib/semmle/javascript/security/FunctionalityFromUntrustedSource.qll
View File

@@ -42,11 +42,19 @@ module StaticCreation {
"code\\.jquery\\.com", //
"cdnjs\\.cloudflare\\.com", //
"cdnjs\\.com", //
"cdn\\.polyfill\\.io", // compromised
"polyfill\\.io", // compromised
] + "/.*\\.js$")
}
/** Holds if `url` refers to a compromised CDN, that should not be trusted. */
bindingset[url]
predicate isCompromisedCdn(string url) {
url.regexpMatch("(?i)^https?://" +
[
"cdn\\.polyfill\\.io", // See https://sansec.io/research/polyfill-supply-chain-attack for details
"polyfill\\.io", // "
] + "/.*$")
}
/** A script element that refers to untrusted content. */
class ScriptElementWithUntrustedContent extends AddsUntrustedUrl instanceof HTML::ScriptElement {
ScriptElementWithUntrustedContent() {
@@ -59,6 +67,19 @@ module StaticCreation {
override string getProblem() { result = "Script loaded using unencrypted connection." }
}
/** A script element that refers to compromised content. */
class CdnFromCompromisedSource extends AddsUntrustedUrl, HTML::ScriptElement {
CdnFromCompromisedSource() {
isCompromisedCdn(this.getSourcePath())
}
override string getUrl() { result = this.getSourcePath() }
override string getProblem() {
result = "Script loaded from compromised content delivery network."
}
}
/** A script element that refers to untrusted content. */
class CdnScriptElementWithUntrustedContent extends AddsUntrustedUrl, HTML::ScriptElement {
CdnScriptElementWithUntrustedContent() {

4
javascript/ql/src/change-notes/2024-07-01-polyfill-io-compromised-script.md
View File

@@ -1,4 +1,6 @@
---
category: minorAnalysis
---
* Added a new query, `js/polyfill-io-compromised-script`, which detects uses in HTML and JavaScript of the compromised `polyfill.io` content delivery network.
* Added a new query, `js/polyfill-io-compromised-script`, which detects uses in HTML and JavaScript of the compromised `polyfill.io` content delivery network.
* Modified existing query, `js/functionality-from-untrusted-source`, to add a new check for the compromised `polyfill.io` content delivery network.
* Created a shared library, `semmle.javascript.security.FunctionalityFromUntrustedSource`, to separate the logic from the existing query and allow having a separate new Polyfill-specific query.