mirror of
https://github.com/github/codeql.git
synced 2026-04-29 18:55:14 +02:00
SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to.
This commit is contained in:
Chris Smowton
@@ -16,6 +16,12 @@ edges
|
||||
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:19:23:19:58 | new URI(...) : URI |
|
||||
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri |
|
||||
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri |
|
||||
| RequestForgery.java:61:33:61:63 | getParameter(...) : String | RequestForgery.java:62:59:62:77 | new URI(...) |
|
||||
| RequestForgery.java:65:49:65:79 | getParameter(...) : String | RequestForgery.java:66:59:66:77 | new URI(...) |
|
||||
| RequestForgery.java:70:31:70:61 | getParameter(...) : String | RequestForgery.java:71:59:71:88 | new URI(...) |
|
||||
| RequestForgery.java:74:73:74:103 | getParameter(...) : String | RequestForgery.java:75:59:75:77 | new URI(...) |
|
||||
| RequestForgery.java:78:56:78:86 | getParameter(...) : String | RequestForgery.java:79:59:79:77 | new URI(...) |
|
||||
| RequestForgery.java:82:55:82:85 | getParameter(...) : String | RequestForgery.java:83:59:83:77 | new URI(...) |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl |
|
||||
@@ -44,6 +50,18 @@ nodes
|
||||
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RequestForgery.java:22:52:22:54 | uri | semmle.label | uri |
|
||||
| RequestForgery.java:27:57:27:59 | uri | semmle.label | uri |
|
||||
| RequestForgery.java:61:33:61:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RequestForgery.java:62:59:62:77 | new URI(...) | semmle.label | new URI(...) |
|
||||
| RequestForgery.java:65:49:65:79 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RequestForgery.java:66:59:66:77 | new URI(...) | semmle.label | new URI(...) |
|
||||
| RequestForgery.java:70:31:70:61 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RequestForgery.java:71:59:71:88 | new URI(...) | semmle.label | new URI(...) |
|
||||
| RequestForgery.java:74:73:74:103 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RequestForgery.java:75:59:75:77 | new URI(...) | semmle.label | new URI(...) |
|
||||
| RequestForgery.java:78:56:78:86 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RequestForgery.java:79:59:79:77 | new URI(...) | semmle.label | new URI(...) |
|
||||
| RequestForgery.java:82:55:82:85 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RequestForgery.java:83:59:83:77 | new URI(...) | semmle.label | new URI(...) |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| SpringSSRF.java:32:47:32:67 | ... + ... | semmle.label | ... + ... |
|
||||
| SpringSSRF.java:37:43:37:56 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
@@ -66,6 +84,12 @@ nodes
|
||||
| RequestForgery2.java:69:29:69:32 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:22:52:22:54 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:27:57:27:59 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:62:59:62:77 | new URI(...) | RequestForgery.java:61:33:61:63 | getParameter(...) : String | RequestForgery.java:62:59:62:77 | new URI(...) | Potential server side request forgery due to $@. | RequestForgery.java:61:33:61:63 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:66:59:66:77 | new URI(...) | RequestForgery.java:65:49:65:79 | getParameter(...) : String | RequestForgery.java:66:59:66:77 | new URI(...) | Potential server side request forgery due to $@. | RequestForgery.java:65:49:65:79 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:71:59:71:88 | new URI(...) | RequestForgery.java:70:31:70:61 | getParameter(...) : String | RequestForgery.java:71:59:71:88 | new URI(...) | Potential server side request forgery due to $@. | RequestForgery.java:70:31:70:61 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:75:59:75:77 | new URI(...) | RequestForgery.java:74:73:74:103 | getParameter(...) : String | RequestForgery.java:75:59:75:77 | new URI(...) | Potential server side request forgery due to $@. | RequestForgery.java:74:73:74:103 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:79:59:79:77 | new URI(...) | RequestForgery.java:78:56:78:86 | getParameter(...) : String | RequestForgery.java:79:59:79:77 | new URI(...) | Potential server side request forgery due to $@. | RequestForgery.java:78:56:78:86 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:83:59:83:77 | new URI(...) | RequestForgery.java:82:55:82:85 | getParameter(...) : String | RequestForgery.java:83:59:83:77 | new URI(...) | Potential server side request forgery due to $@. | RequestForgery.java:82:55:82:85 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:32:47:32:67 | ... + ... | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:37:43:37:56 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:41:42:41:55 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
|
||||
@@ -27,6 +27,62 @@ public class RequestForgery extends HttpServlet {
|
||||
HttpRequest r2 = HttpRequest.newBuilder(uri).build();
|
||||
client.send(r2, null);
|
||||
}
|
||||
|
||||
// GOOD: sanitisation by concatenation with a prefix that prevents targeting an arbitrary host.
|
||||
// We test a few different ways of sanitisation: via string conctentation (perhaps nested),
|
||||
// via a stringbuilder and via String.format.
|
||||
String safeUri3 = "https://example.com/" + request.getParameter("uri3");
|
||||
HttpRequest r3 = HttpRequest.newBuilder(new URI(safeUri3)).build();
|
||||
client.send(r3, null);
|
||||
|
||||
String safeUri4 = "https://example.com/" + ("someprefix" + request.getParameter("uri4"));
|
||||
HttpRequest r4 = HttpRequest.newBuilder(new URI(safeUri4)).build();
|
||||
client.send(r4, null);
|
||||
|
||||
StringBuilder safeUri5 = new StringBuilder();
|
||||
safeUri5.append("https://example.com/").append(request.getParameter("uri5"));
|
||||
HttpRequest r5 = HttpRequest.newBuilder(new URI(safeUri5.toString())).build();
|
||||
client.send(r5, null);
|
||||
|
||||
String safeUri6 = String.format("https://example.com/%s", request.getParameter("uri6"));
|
||||
HttpRequest r6 = HttpRequest.newBuilder(new URI(safeUri6)).build();
|
||||
client.send(r6, null);
|
||||
|
||||
String safeUri7 = String.format("%s/%s", "https://example.com", request.getParameter("uri7"));
|
||||
HttpRequest r7 = HttpRequest.newBuilder(new URI(safeUri7)).build();
|
||||
client.send(r7, null);
|
||||
|
||||
String safeUri8 = String.format("%s%s", "https://example.com/", request.getParameter("uri8"));
|
||||
HttpRequest r8 = HttpRequest.newBuilder(new URI(safeUri8)).build();
|
||||
client.send(r8, null);
|
||||
|
||||
// BAD: cases where a string that would sanitise is used, but occurs in the wrong
|
||||
// place to sanitise user input:
|
||||
String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/";
|
||||
HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build();
|
||||
client.send(unsafer3, null);
|
||||
|
||||
String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/";
|
||||
HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build();
|
||||
client.send(unsafer4, null);
|
||||
|
||||
StringBuilder unsafeUri5 = new StringBuilder();
|
||||
unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/");
|
||||
HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build();
|
||||
client.send(unsafer5, null);
|
||||
|
||||
String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6"));
|
||||
HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build();
|
||||
client.send(unsafer6, null);
|
||||
|
||||
String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com");
|
||||
HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build();
|
||||
client.send(unsafer7, null);
|
||||
|
||||
String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/");
|
||||
HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build();
|
||||
client.send(unsafer8, null);
|
||||
|
||||
} catch (Exception e) {
|
||||
// TODO: handle exception
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user