Fix to include specification of flag in NODE_OPTIONS

2026-04-28 10:15:14 +02:00 · 2023-04-18 00:41:48 -04:00
parent 522a285d9e
commit cb90f9af3c
1 changed files with 15 additions and 16 deletions
--- a/javascript/ql/src/Security/CWE-444/InsecureHttpParser.ql
+++ b/javascript/ql/src/Security/CWE-444/InsecureHttpParser.ql
@@ -3,7 +3,7 @@
 * @description Using an insecure http parser can lead to http smuggling attacks.
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.0
+ * @security-severity 9.0
 * @precision high
 * @id js/insecure-http-parser
 * @tags security
@@ -12,14 +12,6 @@

 import javascript

-// from DataFlow::CallNode call
-// where 
-//   call = DataFlow::moduleMember(importLib(), memberCall()).getACall() and
-//   call.getOptionArgument(0, "insecureHTTPParser").analyze().getABooleanValue() = true or
-//   call.getOptionArgument(1, "insecureHTTPParser").analyze().getABooleanValue() = true
-// select call.getOptionArgument(0, "insecureHTTPParser"),
-//   "This argument allows the use of an insecure parser that accepts invalid HTTP headers."
-
 /** Gets options argument for a potential http or https connection */
 DataFlow::InvokeNode nodeInvocation() {
  result instanceof ClientRequest
@@ -32,12 +24,19 @@ DataFlow::ObjectLiteralNode nodeOptions() { result.flowsTo(nodeInvocation().getA

 from DataFlow::PropWrite disable
 where
-  disable = nodeOptions().getAPropertyWrite("insecureHTTPParser")
-  or
-  // the same thing, but with API-nodes if they happen to be available
-  exists(API::Node nodeInvk | nodeInvk.getAnInvocation() = nodeInvocation() |
-    disable.getRhs() = nodeInvk.getAParameter().getMember("insecureHTTPParser").asSink()
+  exists(DataFlow::SourceNode env |
+    env = NodeJSLib::process().getAPropertyRead("env") and
+    disable = env.getAPropertyWrite("NODE_OPTIONS") and
+    disable.getRhs().getStringValue().regexpMatch(".*--insecure-http-parser.*")
  )
-  and
+  or
+  (
+    disable = nodeOptions().getAPropertyWrite("insecureHTTPParser")
+    or
+    // the same thing, but with API-nodes if they happen to be available
+    exists(API::Node nodeInvk | nodeInvk.getAnInvocation() = nodeInvocation() |
+      disable.getRhs() = nodeInvk.getAParameter().getMember("insecureHTTPParser").asSink()
+    )
+  ) and
  disable.getRhs().(AnalyzedNode).getTheBooleanValue() = true
-select disable, "Allowing invalid HTTP headers is strongly discouraged."
+select disable, "Allowing invalid HTTP headers is strongly discouraged."