Merge pull request #273 from asger-semmle/csrf-sources

JS: add RemoteFlowSource.isThirdPartyControllable()
2026-04-29 02:35:15 +02:00 · 2018-10-08 15:09:38 +01:00
parent d2af4ab94a c2a5f99d9c
commit e354694173
4 changed files with 34 additions and 11 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
@@ -404,6 +404,29 @@ module HTTP {
     * Note that this predicate is functional.
     */
    abstract string getKind();
+
+    /**
+     * Holds if this part of the request may be controlled by a third party,
+     * that is, an agent other than the one who sent the request.
+     *
+     * This is true for the URL, query parameters, and request body.
+     * These can be controlled by a malicious third party in the following scenarios:
+     *
+     * - The user clicks a malicious link or is otherwise redirected to a malicious URL.
+     * - The user visits a web site that initiates a form submission or AJAX request on their behalf.
+     *
+     * In these cases, the request is technically sent from the user's browser, but
+     * the user is not in direct control of the URL or POST body.
+     *
+     * Headers are never considered third-party controllable by this predicate, although the
+     * third party does have some control over the the Referer and Origin headers.
+     */
+    predicate isThirdPartyControllable() {
+      exists (string kind | kind = getKind() |
+        kind = "parameter" or
+        kind = "url" or
+        kind = "body")
+    }
  }

  /**
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
@@ -43,13 +43,12 @@ module ReflectedXss {
    }
  }

-  /** A source of remote user input, considered as a flow source for reflected XSS. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() {
-      this instanceof RemoteFlowSource and
-      // cookies cannot be controlled by a third-party attacker, and hence are
-      // not relevant for reflected XSS
-      not this.(RemoteFlowSource).getSourceType() = "Server request cookie"
+  /** A third-party controllable request input, considered as a flow source for reflected XSS. */
+  class ThirdPartyRequestInputAccessAsSource extends Source {
+    ThirdPartyRequestInputAccessAsSource() {
+      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
+      or
+      this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
    }
  }

--- a/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll
@@ -12,7 +12,6 @@ abstract class RemoteFlowSource extends DataFlow::Node {
  abstract string getSourceType();
 }

-
 /**
 * An access to `document.cookie`, viewed as a source of remote user input.
 */
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll
@@ -90,9 +90,11 @@ module ServerSideUrlRedirect {

  }

-  /** A source of remote user input, considered as a flow source for URL redirects. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  /** A source of third-party user input, considered as a flow source for URL redirects. */
+  class ThirdPartyRequestInputAccessAsSource extends Source {
+    ThirdPartyRequestInputAccessAsSource() {
+      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
+    }
  }

  /**