hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 22:32:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
This commit is contained in:
Slavomir
2020-07-16 18:36:40 +03:00
committed by GitHub
parent fb78818db7
commit ee4356501a
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ql/src/experimental/CWE-352/ConstantOauth2State.qhelp
View File

@@ -4,8 +4,8 @@
<qhelp>
<overview>
<p>
Oauth2 clients must implement CSRF protection for the redirection URI, which is typically accomplished by including a "state" value that binds the request to
the user's authenticated state. The Go Oauth2 library allows to specify a "state" value which is then included in the auth code URL, and then provided back by the remote authentication server in the redirect callback, from where it must be validated; failure to do so makes the client susceptible to an CSRF attack.
OAuth 2.0 clients must implement CSRF protection for the redirection URI, which is typically accomplished by including a "state" value that binds the request to
the user's authenticated state. The Go OAuth 2.0 library allows to specify a "state" value which is then included in the auth code URL, and then provided back by the remote authentication server in the redirect callback, from where it must be validated; failure to do so makes the client susceptible to an CSRF attack.
</p>
</overview>
<recommendation>
@@ -23,4 +23,4 @@
</p>
<sample src="ConstantOauth2StateBetter.go" />
</example>
</qhelp>
</qhelp>

6
ql/src/experimental/CWE-352/ConstantOauth2State.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Use of constant `state` value in Oauth2 URL.
* @description Using a constant value for the `state` in the oauth2 URL makes the application
* @name Use of constant `state` value in OAuth 2.0 URL.
* @description Using a constant value for the `state` in the OAuth 2.0 URL makes the application
* susceptible to CSRF attacks.
* @kind path-problem
* @problem.severity error
@@ -14,7 +14,7 @@ import DataFlow::PathGraph
/**
* A method that creates a new URL that will send the user
* to the oauth2 authorization dialog of the provider.
* to the OAuth 2.0 authorization dialog of the provider.
*/
class AuthCodeURL extends Method {
AuthCodeURL() { this.hasQualifiedName("golang.org/x/oauth2", "Config", "AuthCodeURL") }