hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

SSRF: don't consider results of fetches we initiated to be untrustworthy

Browse Source
This commit is contained in:
Chris Smowton
2021-04-01 15:45:32 +01:00
parent c63d5986cf
commit 26e10f3ad5
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
View File

@@ -18,7 +18,13 @@ import DataFlow::PathGraph
class RequestForgeryConfiguration extends TaintTracking::Configuration { class RequestForgeryConfiguration extends TaintTracking::Configuration {
RequestForgeryConfiguration() { this = "Server Side Request Forgery" } RequestForgeryConfiguration() { this = "Server Side Request Forgery" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } override predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource and
// Exclude results of remote HTTP requests: fetching something else based on that result
// is no worse than following a redirect returned by the remote server, and typically
// we're requesting a resource via https which we trust to only send us to safe URLs.
not source.asExpr().(MethodAccess).getCallee() instanceof URLConnectionGetInputStreamMethod
}
override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }