hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

permit http urls to 127.0.0.1 and others

Browse Source
This commit is contained in:
Stephan Brandauer
2022-02-14 15:54:19 +01:00
parent dd2b779a3c
commit b35c70994f
2 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
View File

@@ -15,20 +15,23 @@ import javascript
import semmle.javascript.HTML
bindingset[host]
predicate isAllowedHost(string host) { host.toLowerCase().regexpMatch("localhost(:[0-9]+)?/.*") }
predicate isLocalhostPrefix(string host) {
host.toLowerCase()
.regexpMatch([
"localhost(:[0-9]+)?/.*", "127.0.0.1(:[0-9]+)?/.*", "::1/.*", "\\[::1\\]:[0-9]+/.*"
])
}
bindingset[path]
predicate isUntrustedSourcePath(string path) {
path.substring(0, 2) = "//"
or
exists(string hostPath | hostPath = path.regexpCapture("http://(.*)", 1) |
not isAllowedHost(hostPath)
not isLocalhostPrefix(hostPath)
)
}
abstract class IncludesUntrustedContent extends HTML::Element {
IncludesUntrustedContent() { this = this }
/** Gets an explanation why this source is untrusted. */
abstract string getProblem();
}
@@ -41,7 +44,7 @@ class ScriptElementWithUntrustedContent extends IncludesUntrustedContent, HTML::
}
override string getProblem() {
result = "script elements should use an https link and/or use the integrity attribute"
result = "script elements should use an HTTPS url and/or use the integrity attribute"
}
}
@@ -49,9 +52,9 @@ class ScriptElementWithUntrustedContent extends IncludesUntrustedContent, HTML::
class IframeElementWithUntrustedContent extends HTML::IframeElement, IncludesUntrustedContent {
IframeElementWithUntrustedContent() { isUntrustedSourcePath(this.getSourcePath()) }
override string getProblem() { result = "iframe elements should use an https link" }
override string getProblem() { result = "iframe elements should use an HTTPS url" }
}
from IncludesUntrustedContent s, string problem
where problem = s.getProblem()
select s, "HTML-element imports untrusted content (" + problem + ")"
select s, "HTML-element uses untrusted content (" + problem + ")"

3
javascript/ql/test/query-tests/Security/CWE-830/test.html
View File

@@ -9,5 +9,8 @@
<iframe src="http://test.local/foo.html"></iframe> <!-- NOT OK -->
<iframe src="https://test.local/foo.html"></iframe> <!-- OK (https) -->
<iframe src="//test.local/foo.html"></iframe> <!-- NOT OK (protocol-relative url) -->
<iframe src="http://::1/foo.html"></iframe> <!-- OK (localhost) -->
<iframe src="http://[::1]:80/foo.html"></iframe> <!-- OK (localhost) -->
<iframe src="http://127.0.0.1:444/foo.html"></iframe> <!-- OK (localhost) -->
</body>
</html>