Skip to content

Commit cb90f9a

Browse files
natejohnson05natejohnson05
committed
Fix to include specification of flag in NODE_OPTIONS
1 parent 522a285 commit cb90f9a

File tree

1 file changed

+15
-16
lines changed

1 file changed

+15
-16
lines changed

javascript/ql/src/Security/CWE-444/InsecureHttpParser.ql

Lines changed: 15 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* @description Using an insecure http parser can lead to http smuggling attacks.
44
* @kind problem
55
* @problem.severity warning
6-
* @security-severity 6.0
6+
* @security-severity 9.0
77
* @precision high
88
* @id js/insecure-http-parser
99
* @tags security
@@ -12,14 +12,6 @@
1212

1313
import javascript
1414

15-
// from DataFlow::CallNode call
16-
// where
17-
// call = DataFlow::moduleMember(importLib(), memberCall()).getACall() and
18-
// call.getOptionArgument(0, "insecureHTTPParser").analyze().getABooleanValue() = true or
19-
// call.getOptionArgument(1, "insecureHTTPParser").analyze().getABooleanValue() = true
20-
// select call.getOptionArgument(0, "insecureHTTPParser"),
21-
// "This argument allows the use of an insecure parser that accepts invalid HTTP headers."
22-
2315
/** Gets options argument for a potential http or https connection */
2416
DataFlow::InvokeNode nodeInvocation() {
2517
result instanceof ClientRequest
@@ -32,12 +24,19 @@ DataFlow::ObjectLiteralNode nodeOptions() { result.flowsTo(nodeInvocation().getA
3224

3325
from DataFlow::PropWrite disable
3426
where
35-
disable = nodeOptions().getAPropertyWrite("insecureHTTPParser")
36-
or
37-
// the same thing, but with API-nodes if they happen to be available
38-
exists(API::Node nodeInvk | nodeInvk.getAnInvocation() = nodeInvocation() |
39-
disable.getRhs() = nodeInvk.getAParameter().getMember("insecureHTTPParser").asSink()
27+
exists(DataFlow::SourceNode env |
28+
env = NodeJSLib::process().getAPropertyRead("env") and
29+
disable = env.getAPropertyWrite("NODE_OPTIONS") and
30+
disable.getRhs().getStringValue().regexpMatch(".*--insecure-http-parser.*")
4031
)
41-
and
32+
or
33+
(
34+
disable = nodeOptions().getAPropertyWrite("insecureHTTPParser")
35+
or
36+
// the same thing, but with API-nodes if they happen to be available
37+
exists(API::Node nodeInvk | nodeInvk.getAnInvocation() = nodeInvocation() |
38+
disable.getRhs() = nodeInvk.getAParameter().getMember("insecureHTTPParser").asSink()
39+
)
40+
) and
4241
disable.getRhs().(AnalyzedNode).getTheBooleanValue() = true
43-
select disable, "Allowing invalid HTTP headers is strongly discouraged."
42+
select disable, "Allowing invalid HTTP headers is strongly discouraged."

0 commit comments

Comments
 (0)