Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: Add 'case sensitive middleware' query #9718

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

JS: Add 'case sensitive middleware' query #9718

wants to merge 9 commits into from
+306 −0

Conversation

asgerf
Copy link
Contributor

@asgerf asgerf commented Jun 27, 2022

Adds a query for detecting middlewares that can be bypassed due to having a case-sensitive regular expression as its path.

Evaluations have been split into a few parts:

@asgerf asgerf added the JS label Jun 27, 2022
@asgerf asgerf requested a review from as a code owner Jun 27, 2022
esbena
esbena reviewed Jun 28, 2022
View changes
javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.qhelp
<overview>
<p>
Using a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware
when accessing an endpoint with a case-insensitive path.
Copy link
Contributor

@esbena esbena Jun 28, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to explain that explicit string routes typically are treated case-insensitively.

esbena
esbena reviewed Jun 28, 2022
View changes
javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.qhelp Outdated

<recommendation>
<p>
When using a regular expression as a middlware path, make sure the regular expression is
Copy link
Contributor

@esbena esbena Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
When using a regular expression as a middlware path, make sure the regular expression is
When using a regular expression as a middleware path, make sure the regular expression is

esbena
esbena reviewed Jun 28, 2022
View changes
javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql Outdated
* Converts `s` to upper case, or to lower-case if it was already upper case.
*/
bindingset[s]
string invertCase(string s) {
Copy link
Contributor

@esbena esbena Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In isolation, I find the naming confusing here. If s is mixed case, it will be upper-cased, that does not sound like an inversion.

Copy link
Contributor Author

@asgerf asgerf Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed to toOtherCase

esbena
esbena reviewed Jun 28, 2022
View changes
javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql Outdated
}

/**
* Holds if `term` distinguishes between upper and lower case letters, assuming the `i` flag is not present.
Copy link
Contributor

@esbena esbena Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that this predicate suits the query: it identifies the typical regexp routes such as /admin\/.*/.
The predicate will however also hold (wrongly) for cases such as /a|A/ or /[abcA-C]/

Could the docstring/predicate name be something like isCaseSensitiveRouteRegExp?

Copy link
Contributor Author

@asgerf asgerf Jun 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed to isLikelyCaseSensitiveRegExp

@esbena esbena added the ready-for-doc-review label Jun 28, 2022
esbena
esbena approved these changes Jun 28, 2022
View changes
Copy link
Contributor

@esbena esbena left a comment

LGTM. Thanks for making this query a reality.
We are ready for the docs review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esbena esbena

Assignees
No one assigned
Labels
documentation JS ready-for-doc-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@asgerf @esbena