Skip to content

JS: Detect additional URLs in js/incomplete-url-substring-sanitization when the substring check is an includes check#4054

Merged
codeql-ci merged 5 commits intogithub:mainfrom
erik-krogh:urlIncludes
Aug 17, 2020
Merged

JS: Detect additional URLs in js/incomplete-url-substring-sanitization when the substring check is an includes check#4054
codeql-ci merged 5 commits intogithub:mainfrom
erik-krogh:urlIncludes

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Aug 12, 2020
edited
Loading

Using an includes check for URLs is just generally bad.

With this PR the js/incomplete-url-substring-sanitization is expanded such that URLs that contain path elements are recognized when the substring check is an includes check.

I decided to still require that the URL starts with http:// to make very sure that we only match URL checks.

@erik-krogh erik-krogh added the JS label Aug 12, 2020
@erik-krogh erik-krogh marked this pull request as ready for review August 12, 2020 18:00
@erik-krogh erik-krogh requested a review from a team as a code owner August 12, 2020 18:00
esbena
esbena requested changes Aug 13, 2020
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. A few nits.

javascript/ql/test/query-tests/Security/CWE-020/tst-IncompleteUrlSubstringSanitization.js Outdated
}
}

x.startsWith("https://secure.com/foo/bar"); // OK - the trailing slash makes prefix checks safe.
Copy link
Contributor

@esbena esbena Aug 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no trailing slash here. Can you reformulate the explanation?

javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql Outdated
or
// target is a HTTP URL to a domain on any TLD with path elements, and the check is an includes check
check instanceof StringOps::Includes and
target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/([a-z0-9-]+/?)*")
Copy link
Contributor

@esbena esbena Aug 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional changes (3), pick the ones you want:

  • consistency for TLDs
  • more permissive paths
  • flattening of quantifiers
Suggested change
target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/([a-z0-9-]+/?)*")
target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+" + RegExpPatterns::commonTLD() + "(:[0-9]+)?/[a-z0-9/_-]+")

Copy link
Contributor Author

@erik-krogh erik-krogh Aug 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going with 2+3.

@adityasharad adityasharad changed the base branch from master to main August 14, 2020 18:33
@codeql-ci codeql-ci merged commit c917cd0 into github:main Aug 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esbena esbena esbena approved these changes

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erik-krogh @esbena @codeql-ci