hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 21:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

ATM: add missing query help files

Browse Source
This commit is contained in:
Jean Helie
2023-01-16 21:48:27 +01:00
parent b08fa43fdf
commit fec7ea6964
2 changed files with 123 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
javascript/ql/experimental/adaptivethreatmodeling/src/ShellCommandInjectionFromEnvironmentATM.md Normal file
View File

@@ -0,0 +1,75 @@
# Shell command built from environment values (experimental)
Dynamically constructing a shell command with values from the
local environment, such as file paths, may inadvertently
change the meaning of the shell command.
Such changes can occur when an environment value contains
characters that the shell interprets in a special way, for instance
quotes and spaces.
This can result in the shell command misbehaving, or even
allowing a malicious user to execute arbitrary commands on the system.
Note: This CodeQL query is an experimental query. Experimental queries generate alerts using machine learning. They might include more false positives but they will improve over time.
## Recommendation
If possible, use hard-coded string literals to specify the
shell command to run, and provide the dynamic arguments to the shell
command separately to avoid interpretation by the shell.
Alternatively, if the shell command must be constructed
dynamically, then add code to ensure that special characters in
environment values do not alter the shell command unexpectedly.
## Example
The following example shows a dynamically constructed shell
command that recursively removes a temporary directory that is located
next to the currently executing JavaScript file. Such utilities are
often found in custom build scripts.
```javascript
var cp = require("child_process"),
path = require("path");
function cleanupTemp() {
let cmd = "rm -rf " + path.join(__dirname, "temp");
cp.execSync(cmd); // BAD
}
```
The shell command will, however, fail to work as intended if the
absolute path of the script's directory contains spaces. In that
case, the shell command will interpret the absolute path as multiple
paths, instead of a single path.
For instance, if the absolute path of
the temporary directory is "`/home/username/important project/temp`", then the shell command will recursively delete
`"/home/username/important"` and `"project/temp"`,
where the latter path gets resolved relative to the working directory
of the JavaScript process.
Even worse, although less likely, a malicious user could
provide the path `"/home/username/; cat /etc/passwd #/important
project/temp"` in order to execute the command `"cat
/etc/passwd"`.
To avoid such potentially catastrophic behaviors, provide the
directory as an argument that does not get interpreted by a
shell:
```javascript
var cp = require("child_process"),
path = require("path");
function cleanupTemp() {
let cmd = "rm",
args = ["-rf", path.join(__dirname, "temp")];
cp.execFileSync(cmd, args); // GOOD
}
```
## References
* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection)

48
javascript/ql/experimental/adaptivethreatmodeling/src/XssThroughDomATM.md Normal file
View File

@@ -0,0 +1,48 @@
# DOM text reinterpreted as HTML (experimental)
Extracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.
A webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.
Note: This CodeQL query is an experimental query. Experimental queries generate alerts using machine learning. They might include more false positives but they will improve over time.
## Recommendation
To guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.
## Example
The following example shows a webpage using a `data-target` attribute
to select and manipulate a DOM element using the JQuery library. In the example, the
`data-target` attribute is read into the `target` variable, and the
`$` function is then supposed to use the `target` variable as a CSS
selector to determine which element should be manipulated.
```javascript
$("button").click(function () {
var target = $(this).attr("data-target");
$(target).hide();
});
```
However, if an attacker can control the `data-target` attribute,
then the value of `target` can be used to cause the `$` function
to execute arbitrary JavaScript.
The above vulnerability can be fixed by using `$.find` instead of `$`.
The `$.find` function will only interpret `target` as a CSS selector
and never as HTML, thereby preventing an XSS attack.
```javascript
$("button").click(function () {
var target = $(this).attr("data-target");
$.find(target).hide();
});
```
## References
* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html)
* OWASP: [(Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)
* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting)
* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting)