hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 14:52:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

ReflectedXss: More broadly exclude values with a constant prefix

Browse Source
This commit is contained in:
Sauyon Lee
2020-05-11 15:49:37 -07:00
parent 0e779d0b64
commit 58e41e9302
4 changed files with 52 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ql/src/semmle/go/frameworks/Stdlib.qll
View File

@@ -596,7 +596,7 @@ module Log {
/** Provides models of some functions in the `encoding/json` package. */
module EncodingJson {
private class MarshalFunction extends TaintTracking::FunctionModel, MarshalingFunction::Range {
class MarshalFunction extends TaintTracking::FunctionModel, MarshalingFunction::Range {
MarshalFunction() {
this.hasQualifiedName("encoding/json", "Marshal") or
this.hasQualifiedName("encoding/json", "MarshalIndent")

8
ql/src/semmle/go/security/ReflectedXssCustomizations.qll
View File

@@ -69,6 +69,14 @@ module ReflectedXss {
// - '%', which could be a format string.
call.getArgument(1).getStringValue().regexpMatch("^[^<%].*")
)
or
exists(DataFlow::Node pred | body = pred.getASuccessor*() |
// data starting with `<` cannot cause an HTML content type to be detected.
pred.getStringValue().regexpMatch("^[^<].*")
or
// json data cannot begin with `<`
pred = any(EncodingJson::MarshalFunction mf).getOutput().getExitNode(_)
)
)
}

12
ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
View File

@@ -2,7 +2,8 @@ edges
| ReflectedXss.go:11:15:11:20 | selection of Form : Values | ReflectedXss.go:14:44:14:51 | username |
| contenttype.go:11:11:11:16 | selection of Form : Values | contenttype.go:17:11:17:22 | type conversion |
| contenttype.go:49:11:49:16 | selection of Form : Values | contenttype.go:53:34:53:37 | data |
| tst.go:11:15:11:20 | selection of Form : Values | tst.go:15:12:15:39 | type conversion |
| tst.go:13:15:13:20 | selection of Form : Values | tst.go:17:12:17:39 | type conversion |
| tst.go:47:14:47:19 | selection of Form : Values | tst.go:52:12:52:26 | type conversion |
nodes
| ReflectedXss.go:11:15:11:20 | selection of Form : Values | semmle.label | selection of Form : Values |
| ReflectedXss.go:14:44:14:51 | username | semmle.label | username |
@@ -10,10 +11,13 @@ nodes
| contenttype.go:17:11:17:22 | type conversion | semmle.label | type conversion |
| contenttype.go:49:11:49:16 | selection of Form : Values | semmle.label | selection of Form : Values |
| contenttype.go:53:34:53:37 | data | semmle.label | data |
| tst.go:11:15:11:20 | selection of Form : Values | semmle.label | selection of Form : Values |
| tst.go:15:12:15:39 | type conversion | semmle.label | type conversion |
| tst.go:13:15:13:20 | selection of Form : Values | semmle.label | selection of Form : Values |
| tst.go:17:12:17:39 | type conversion | semmle.label | type conversion |
| tst.go:47:14:47:19 | selection of Form : Values | semmle.label | selection of Form : Values |
| tst.go:52:12:52:26 | type conversion | semmle.label | type conversion |
#select
| ReflectedXss.go:14:44:14:51 | username | ReflectedXss.go:11:15:11:20 | selection of Form : Values | ReflectedXss.go:14:44:14:51 | username | Cross-site scripting vulnerability due to $@. | ReflectedXss.go:11:15:11:20 | selection of Form | user-provided value |
| contenttype.go:17:11:17:22 | type conversion | contenttype.go:11:11:11:16 | selection of Form : Values | contenttype.go:17:11:17:22 | type conversion | Cross-site scripting vulnerability due to $@. | contenttype.go:11:11:11:16 | selection of Form | user-provided value |
| contenttype.go:53:34:53:37 | data | contenttype.go:49:11:49:16 | selection of Form : Values | contenttype.go:53:34:53:37 | data | Cross-site scripting vulnerability due to $@. | contenttype.go:49:11:49:16 | selection of Form | user-provided value |
| tst.go:15:12:15:39 | type conversion | tst.go:11:15:11:20 | selection of Form : Values | tst.go:15:12:15:39 | type conversion | Cross-site scripting vulnerability due to $@. | tst.go:11:15:11:20 | selection of Form | user-provided value |
| tst.go:17:12:17:39 | type conversion | tst.go:13:15:13:20 | selection of Form : Values | tst.go:17:12:17:39 | type conversion | Cross-site scripting vulnerability due to $@. | tst.go:13:15:13:20 | selection of Form | user-provided value |
| tst.go:52:12:52:26 | type conversion | tst.go:47:14:47:19 | selection of Form : Values | tst.go:52:12:52:26 | type conversion | Cross-site scripting vulnerability due to $@. | tst.go:47:14:47:19 | selection of Form | user-provided value |

35
ql/test/query-tests/Security/CWE-079/tst.go
View File

@@ -1,6 +1,8 @@
package main
import (
"encoding/json"
"fmt"
"net/http"
"strings"
)
@@ -19,3 +21,36 @@ func serve6() {
})
http.ListenAndServe(":80", nil)
}
type User struct {
name string
}
func serve7() {
http.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
username := r.Form.Get("username")
if !isValidUsername(username) {
// OK: json data cannot cause an HTML content type to be detected
a, _ := json.Marshal(User{username})
w.Write(a)
} else {
// TODO: do something exciting
}
})
http.ListenAndServe(":80", nil)
}
func serve8() {
http.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
service := r.Form.Get("service")
if service != "service1" && service != "service2" {
fmt.Fprintln(w, "Service not found")
} else {
// OK: json data cannot cause an HTML content type to be detected
w.Write([]byte(service))
}
})
http.ListenAndServe(":80", nil)
}