Merge pull request github#11959 from erik-krogh/ssrfSan

erik-krogh · web-flow · commit 028fcc7edf9e · 2023-02-14T13:39:53.000+01:00
JS: add encodeURIComponent as a sanitizer for request-forgery
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -81,4 +81,14 @@ module RequestForgery {
 
     override string getKind() { result = "endpoint" }
   }
+
+  private import Xss as Xss
+
+  /**
+   * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for request forgery.
+   * These calls will escape "/" to "%2F", which is not a problem for request forgery.
+   * The result from calling `encodeURI` or `encodeURIComponent` is not a valid URL, and only makes sense
+   * as a part of a URL.
+   */
+  class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer { }
 }
diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
@@ -15,20 +15,10 @@ nodes
 | check-path.js:19:13:19:43 | 'test.c ... tainted |
 | check-path.js:19:27:19:43 | req.query.tainted |
 | check-path.js:19:27:19:43 | req.query.tainted |
-| check-path.js:22:13:22:63 | 'test.c ... ainted) |
-| check-path.js:22:13:22:63 | 'test.c ... ainted) |
-| check-path.js:22:27:22:63 | encodeU ... ainted) |
-| check-path.js:22:46:22:62 | req.query.tainted |
-| check-path.js:22:46:22:62 | req.query.tainted |
 | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:27:23:43 | req.query.tainted |
 | check-path.js:23:27:23:43 | req.query.tainted |
-| check-path.js:24:13:24:65 | `/addre ... nted)}` |
-| check-path.js:24:13:24:65 | `/addre ... nted)}` |
-| check-path.js:24:27:24:63 | encodeU ... ainted) |
-| check-path.js:24:46:24:62 | req.query.tainted |
-| check-path.js:24:46:24:62 | req.query.tainted |
 | check-path.js:33:15:33:45 | 'test.c ... tainted |
 | check-path.js:33:15:33:45 | 'test.c ... tainted |
 | check-path.js:33:29:33:45 | req.query.tainted |
@@ -97,18 +87,10 @@ edges
 | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
 | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
 | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
-| check-path.js:22:27:22:63 | encodeU ... ainted) | check-path.js:22:13:22:63 | 'test.c ... ainted) |
-| check-path.js:22:27:22:63 | encodeU ... ainted) | check-path.js:22:13:22:63 | 'test.c ... ainted) |
-| check-path.js:22:46:22:62 | req.query.tainted | check-path.js:22:27:22:63 | encodeU ... ainted) |
-| check-path.js:22:46:22:62 | req.query.tainted | check-path.js:22:27:22:63 | encodeU ... ainted) |
 | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
-| check-path.js:24:27:24:63 | encodeU ... ainted) | check-path.js:24:13:24:65 | `/addre ... nted)}` |
-| check-path.js:24:27:24:63 | encodeU ... ainted) | check-path.js:24:13:24:65 | `/addre ... nted)}` |
-| check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:27:24:63 | encodeU ... ainted) |
-| check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:27:24:63 | encodeU ... ainted) |
 | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
 | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
 | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
@@ -167,9 +149,7 @@ edges
 | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | The URL of this request depends on a user-provided value. |
 | check-middleware.js:9:13:9:43 | "test.c ... tainted | check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-path.js:19:13:19:43 | 'test.c ... tainted | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted | The URL of this request depends on a user-provided value. |
-| check-path.js:22:13:22:63 | 'test.c ... ainted) | check-path.js:22:46:22:62 | req.query.tainted | check-path.js:22:13:22:63 | 'test.c ... ainted) | The URL of this request depends on a user-provided value. |
 | check-path.js:23:13:23:45 | `/addre ... inted}` | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` | The URL of this request depends on a user-provided value. |
-| check-path.js:24:13:24:65 | `/addre ... nted)}` | check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:13:24:65 | `/addre ... nted)}` | The URL of this request depends on a user-provided value. |
 | check-path.js:33:15:33:45 | 'test.c ... tainted | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-path.js:37:15:37:45 | 'test.c ... tainted | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-path.js:45:13:45:44 | `${base ... inted}` | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` | The URL of this request depends on a user-provided value. |
diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-path.js b/javascript/ql/test/experimental/Security/CWE-918/check-path.js
@@ -19,9 +19,9 @@ app.get('/check-with-axios', req => {
   axios.get('test.com/' + req.query.tainted); // SSRF
   axios.get('test.com/' + Number(req.query.tainted)); // OK
   axios.get('test.com/' + req.user.id); // OK
-  axios.get('test.com/' + encodeURIComponent(req.query.tainted)); // SSRF
+  axios.get('test.com/' + encodeURIComponent(req.query.tainted)); // OK
   axios.get(`/addresses/${req.query.tainted}`); // SSRF
-  axios.get(`/addresses/${encodeURIComponent(req.query.tainted)}`); // SSRF
+  axios.get(`/addresses/${encodeURIComponent(req.query.tainted)}`); // OK
   
   if (Number.isInteger(req.query.tainted)) {
     axios.get('test.com/' + req.query.tainted); // OK
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -88,6 +88,19 @@ nodes
 | serverSide.js:115:25:115:35 | request.url |
 | serverSide.js:117:27:117:29 | url |
 | serverSide.js:117:27:117:29 | url |
+| serverSide.js:123:9:123:52 | tainted |
+| serverSide.js:123:19:123:42 | url.par ... , true) |
+| serverSide.js:123:19:123:48 | url.par ... ).query |
+| serverSide.js:123:19:123:52 | url.par ... ery.url |
+| serverSide.js:123:29:123:35 | req.url |
+| serverSide.js:123:29:123:35 | req.url |
+| serverSide.js:127:14:127:20 | tainted |
+| serverSide.js:127:14:127:20 | tainted |
+| serverSide.js:130:9:130:45 | myUrl |
+| serverSide.js:130:17:130:45 | `${some ... inted}` |
+| serverSide.js:130:37:130:43 | tainted |
+| serverSide.js:131:15:131:19 | myUrl |
+| serverSide.js:131:15:131:19 | myUrl |
 edges
 | serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted |
 | serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted |
@@ -172,6 +185,18 @@ edges
 | serverSide.js:115:17:115:42 | new URL ... , base) | serverSide.js:115:11:115:42 | url |
 | serverSide.js:115:25:115:35 | request.url | serverSide.js:115:17:115:42 | new URL ... , base) |
 | serverSide.js:115:25:115:35 | request.url | serverSide.js:115:17:115:42 | new URL ... , base) |
+| serverSide.js:123:9:123:52 | tainted | serverSide.js:127:14:127:20 | tainted |
+| serverSide.js:123:9:123:52 | tainted | serverSide.js:127:14:127:20 | tainted |
+| serverSide.js:123:9:123:52 | tainted | serverSide.js:130:37:130:43 | tainted |
+| serverSide.js:123:19:123:42 | url.par ... , true) | serverSide.js:123:19:123:48 | url.par ... ).query |
+| serverSide.js:123:19:123:48 | url.par ... ).query | serverSide.js:123:19:123:52 | url.par ... ery.url |
+| serverSide.js:123:19:123:52 | url.par ... ery.url | serverSide.js:123:9:123:52 | tainted |
+| serverSide.js:123:29:123:35 | req.url | serverSide.js:123:19:123:42 | url.par ... , true) |
+| serverSide.js:123:29:123:35 | req.url | serverSide.js:123:19:123:42 | url.par ... , true) |
+| serverSide.js:130:9:130:45 | myUrl | serverSide.js:131:15:131:19 | myUrl |
+| serverSide.js:130:9:130:45 | myUrl | serverSide.js:131:15:131:19 | myUrl |
+| serverSide.js:130:17:130:45 | `${some ... inted}` | serverSide.js:130:9:130:45 | myUrl |
+| serverSide.js:130:37:130:43 | tainted | serverSide.js:130:17:130:45 | `${some ... inted}` |
 #select
 | serverSide.js:18:5:18:20 | request(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:18:13:18:19 | tainted | The $@ of this request depends on a $@. | serverSide.js:18:13:18:19 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
 | serverSide.js:20:5:20:24 | request.get(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:20:17:20:23 | tainted | The $@ of this request depends on a $@. | serverSide.js:20:17:20:23 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
@@ -195,3 +220,5 @@ edges
 | serverSide.js:100:5:100:26 | new Web ... ainted) | serverSide.js:98:29:98:35 | req.url | serverSide.js:100:19:100:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:100:19:100:25 | tainted | URL | serverSide.js:98:29:98:35 | req.url | user-provided value |
 | serverSide.js:109:20:109:30 | new ws(url) | serverSide.js:108:17:108:27 | request.url | serverSide.js:109:27:109:29 | url | The $@ of this request depends on a $@. | serverSide.js:109:27:109:29 | url | URL | serverSide.js:108:17:108:27 | request.url | user-provided value |
 | serverSide.js:117:20:117:30 | new ws(url) | serverSide.js:115:25:115:35 | request.url | serverSide.js:117:27:117:29 | url | The $@ of this request depends on a $@. | serverSide.js:117:27:117:29 | url | URL | serverSide.js:115:25:115:35 | request.url | user-provided value |
+| serverSide.js:125:5:128:6 | axios({ ... \\n    }) | serverSide.js:123:29:123:35 | req.url | serverSide.js:127:14:127:20 | tainted | The $@ of this request depends on a $@. | serverSide.js:127:14:127:20 | tainted | URL | serverSide.js:123:29:123:35 | req.url | user-provided value |
+| serverSide.js:131:5:131:20 | axios.get(myUrl) | serverSide.js:123:29:123:35 | req.url | serverSide.js:131:15:131:19 | myUrl | The $@ of this request depends on a $@. | serverSide.js:131:15:131:19 | myUrl | URL | serverSide.js:123:29:123:35 | req.url | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
@@ -117,3 +117,19 @@ new ws.Server({ port: 8080 }).on('connection', function (socket, request) {
     const socket = new ws(url);
   });
 });
+
+
+var server2 = http.createServer(function(req, res) {
+    var tainted = url.parse(req.url, true).query.url;
+
+    axios({
+        method: 'get',
+        url: tainted // NOT OK
+    })
+
+    var myUrl = `${something}/bla/${tainted}`; 
+    axios.get(myUrl); // NOT OK
+
+    var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; 
+    axios.get(myEncodedUrl); // OK
+})

Original file line number	Diff line number	Diff line change
`@@ -81,4 +81,14 @@ module RequestForgery {`
`81`	`81`
`82`	`82`	`override string getKind() { result = "endpoint" }`
`83`	`83`	`}`
	`84`	`+`
	`85`	`+ private import Xss as Xss`
	`86`	`+`
	`87`	`+ /**`
	`88`	+ * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for request forgery.
	`89`	`+ * These calls will escape "/" to "%2F", which is not a problem for request forgery.`
	`90`	+ * The result from calling `encodeURI` or `encodeURIComponent` is not a valid URL, and only makes sense
	`91`	`+ * as a part of a URL.`
	`92`	`+ */`
	`93`	`+ class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer { }`
`84`	`94`	`}`