hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

polish qhelp for CWE-830 and add test file

Browse Source
This commit is contained in:
Stephan Brandauer
2022-02-16 10:27:45 +01:00
parent 44d86569ac
commit 9aec4437e2
2 changed files with 46 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.qhelp
View File

@@ -5,7 +5,7 @@
<overview>
<p>
Including functionality from an external source via an http link may
Including functionality from an external source via an http URL may
allow an attacker to inject malicious code via a MITM (man-in-the-middle) attack.
</p>
@@ -15,16 +15,33 @@
<recommendation>
<p>
When including external pages or behaviour, use <em>https</em> links (instead of http)
to be certain that you are getting a response from the intended server, not
someone else.
When including external pages or behaviour, use <em>https</em> URLs to make sure you're
getting the intended data, or users will be vulnerable to MITM attacks.
</p>
<p>
Using http links is unsafe because the request sent may be intercepted by an attacker,
and malicious data may be sent back in reply.
When including external behaviour in iframe or script elements, using http URLs is
unsafe because the request sent may be intercepted by an attacker, and malicious data
may be sent back in reply.
</p>
<p>
Even when https is used, an attacker might still compromise the server the page is
receving data from.
When including scripts from a CDN (content-delivery network), it is therefore recommended
to set the integrity-attribute on the script tag to the hash of the script you're expecting
to receive.
This makes it impossible for an attacker to inject any code into the page, because the
integrity check would fail &mdash; even when the CDN is compromised.
See the reference on Subresource Integrity for more information.
</p>

23
javascript/ql/test/query-tests/Security/CWE-830/StaticCreationOfUntrustedSourceUse.html Normal file
View File

@@ -0,0 +1,23 @@
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<script src="http://test.local/foo.js"></script>> <!-- NOT OK -->
<script src="http://test.local/foo.js" integrity="some-integrity-hash"></script>> <!-- OK (integrity digest present) -->
<script src="https://test.local/bar.js"></script>> <!-- OK (https) -->
<iframe src="http://test.local/foo.html"></iframe> <!-- NOT OK -->
<iframe src="https://test.local/foo.html"></iframe> <!-- OK (https) -->
<iframe src="//test.local/foo.html"></iframe> <!-- OK (protocol-relative url is allowed as a http url of
the page is vulnerable in the first place) -->
<iframe src="http://::1/foo.html"></iframe> <!-- OK (localhost) -->
<iframe src="http://[::1]:80/foo.html"></iframe> <!-- OK (localhost) -->
<iframe src="http://127.0.0.1:444/foo.html"></iframe> <!-- OK (localhost) -->
<!-- Some CDNs recommend using the integrity attribute — for those, we demand it even with https links -->
<!-- OK (digest present) -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" integrity="sha512-7oYXeK0OxTFxndh0erL8FsjGvrl2VMDor6fVqzlLGfwOQQqTbYsGPv4ZZ15QHfSk80doyaM0ZJdvkyDcVO7KFA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
<!-- NOT OK (digest missing) -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
</body>
</html>