OAuth2 constant state query: trace local URLs across reference operations and Sprintf calls

2026-01-30 14:52:57 +01:00 · 2020-08-18 14:34:39 +01:00
parent 050a823397
commit 9e4ee0accf
1 changed files with 16 additions and 1 deletions
--- a/ql/src/experimental/CWE-352/ConstantOauth2State.ql
+++ b/ql/src/experimental/CWE-352/ConstantOauth2State.ql
@@ -65,12 +65,27 @@ class PrivateUrlFlowsToAuthCodeUrlCall extends DataFlow::Configuration {
  /**
   * Propagates a URL written to a RedirectURL field to the whole Config object.
   */
-  override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+  predicate isUrlTaintingConfigStep(DataFlow::Node pred, DataFlow::Node succ) {
    exists(Write w, Field f | f.hasQualifiedName("golang.org/x/oauth2", "Config", "RedirectURL") |
      w.writesField(succ.(DataFlow::PostUpdateNode).getPreUpdateNode(), f, pred)
    )
  }

+  override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    // Propagate from a RedirectURL field to a whole Config
+    isUrlTaintingConfigStep(pred, succ)
+    or
+    // Propagate across deref and address-taking steps
+    TaintTracking::referenceStep(pred, succ)
+    or
+    // Propagate across Sprintf and similar calls
+    exists(DataFlow::CallNode c |
+      c = any(Fmt::Sprinter s).getACall() and
+      pred = c.getAnArgument() and
+      succ = c.getResult()
+    )
+  }
+
  predicate isSink(DataFlow::Node sink, DataFlow::CallNode call) {
    exists(AuthCodeURL m | call = m.getACall() | sink = call.getReceiver())
  }