Add query to detect CORS misconfiguration #7563
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 tasks
…ce regular matching rules
Ruby: Add File.open as a FileSystemAccess
Add a rust-toolchain file to the Ruby directory, which instructs Rustup to install a specific version of Rust (1.54). This will be used in CI, so any use of language features or dependencies that don't support 1.54 will result in a CI failure. This should ensure we have a documented minimum supported rust version and an easy to way to update it in the future (update the rust-toolchain file).
This ensures that if we change our Rust version, the caches will be invalidated.
…el-building-pack JS: Add model building pack for ML-powered queries
Add `Route` classes which model Rails routing information, typically defined in a `routes.rb` file. We extract only the most basic information: HTTP method, path, controller and action. This is enough to determine whether a given controller method is a route handler, and what HTTP method it handles, which is useful for, among other things, the URL redirect query.
Handlers for non-GET requests aren't vulnerable to URL redirect attacks, because browsers won't initiate non-GET requests when you click a link. We can use Rails routing information, if present, to filter out any handlers for non-GET requests.
This predicate isn't used.
This shows how the predicate behaves, as well as a case where it goes wrong.
Any classes/predicates not used externally or in tests are now private. Also fix some typos.
This version is much shorter and hopefully performs a bit better.
Misc: Streamline `consistency-queries/qlpack.yml`
So they follow the same format as the other languages. `git grep codeql-ql` in the ql/ subfolder does not yield any results now.
QL: Streamline qlpacks
Ruby: Hide more SSA nodes from data-flow path explanations
…li-2.8.0 Post-release preparation for codeql-cli-2.8.0
Ruby: Rails route resolution
…9/codeql into tomcat-cors-misconfig
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR add a new experimental query that looks for misconfigured CORS headers in tomcat config file
These types of issues are classified under CWE-346: Origin Validation Error
The query finds the following:
Access-Control-Allow-Originbeing set to '*' along withAccess-Control-Allow-Credentialsset to true.Do let me know if any feedback required to merge the PR