Skip to content

Commit f1799ae

Browse files
erik-krogherik-krogh
committed
print the endpointExample in the alert-messsage, and only report one working example
1 parent 5e3cb08 commit f1799ae

File tree

2 files changed

+17
-11
lines changed

2 files changed

+17
-11
lines changed

javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -116,22 +116,29 @@ predicate isMatchingCandidate(
116116
exists(getCaseSensitiveBypassExample(getARoot(regexp))) and
117117
ignorePrefix = true and
118118
testWithGroups = false and
119-
str = [getCaseSensitiveBypassExample(getARoot(regexp)), getAnEndpointExample(endPoint)]
119+
str =
120+
[
121+
getCaseSensitiveBypassExample(getARoot(regexp)), getAnEndpointExample(endPoint),
122+
toOtherCase(getAnEndpointExample(endPoint))
123+
]
120124
)
121125
}
122126

123127
import RegexpMatching::RegexpMatching<isMatchingCandidate/4> as Matcher
124128

125129
from
126130
DataFlow::RegExpCreationNode regexp, Routing::RouteSetup middleware, Routing::RouteSetup endpoint,
127-
DataFlow::Node arg, string byPassExample, string endpointExample
131+
DataFlow::Node arg, string byPassExample, string endpointExample, string byPassEndPoint
128132
where
129133
isCaseSensitiveMiddleware(middleware, regexp, arg) and
130134
byPassExample = getCaseSensitiveBypassExample(getARoot(regexp)) and
131135
isGuardedCaseInsensitiveEndpoint(endpoint, middleware) and
132-
endpointExample = getAnEndpointExample(endpoint) and
133-
Matcher::matches(regexp.getRoot(), endpointExample) and
134-
not Matcher::matches(regexp.getRoot(), byPassExample)
136+
// only report one example.
137+
endpointExample =
138+
min(string ex | ex = getAnEndpointExample(endpoint) and Matcher::matches(regexp.getRoot(), ex)) and
139+
not Matcher::matches(regexp.getRoot(), byPassExample) and
140+
byPassEndPoint = toOtherCase(endpointExample) and
141+
not Matcher::matches(regexp.getRoot(), byPassEndPoint)
135142
select arg,
136143
"This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '"
137-
+ byPassExample + "' will bypass the middleware.", regexp, "pattern", endpoint, "here"
144+
+ byPassEndPoint + "' will bypass the middleware.", regexp, "pattern", endpoint, "here"

javascript/ql/test/query-tests/Security/CWE-178/CaseSensitiveMiddlewarePath.expected

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,7 @@
1-
| tst.js:8:9:8:19 | /\\/foo\\/.*/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/' will bypass the middleware. | tst.js:8:9:8:19 | /\\/foo\\/.*/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
2-
| tst.js:14:5:14:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO' will bypass the middleware. | tst.js:14:5:14:28 | new Reg ... (.*)?') | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
3-
| tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/0' will bypass the middleware. | tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
4-
| tst.js:64:5:64:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/BAR' will bypass the middleware. | tst.js:64:5:64:28 | new Reg ... (.*)?') | pattern | tst.js:73:1:74:2 | app.get ... ware\\n}) | here |
1+
| tst.js:8:9:8:19 | /\\/foo\\/.*/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/1' will bypass the middleware. | tst.js:8:9:8:19 | /\\/foo\\/.*/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
2+
| tst.js:14:5:14:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/1' will bypass the middleware. | tst.js:14:5:14:28 | new Reg ... (.*)?') | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
3+
| tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/1' will bypass the middleware. | tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
4+
| tst.js:64:5:64:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/BAR/1' will bypass the middleware. | tst.js:64:5:64:28 | new Reg ... (.*)?') | pattern | tst.js:73:1:74:2 | app.get ... ware\\n}) | here |
55
| tst.js:76:9:76:20 | /\\/baz\\/bla/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/BAZ/BLA' will bypass the middleware. | tst.js:76:9:76:20 | /\\/baz\\/bla/ | pattern | tst.js:77:1:79:2 | app.get ... });\\n}) | here |
66
| tst.js:86:9:86:30 | /\\/[Bb] ... 3\\/[a]/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/BAZ3/A' will bypass the middleware. | tst.js:86:9:86:30 | /\\/[Bb] ... 3\\/[a]/ | pattern | tst.js:87:1:89:2 | app.get ... });\\n}) | here |
77
| tst.js:91:9:91:40 | /\\/summ ... ntGame/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/CURRENTGAME' will bypass the middleware. | tst.js:91:9:91:40 | /\\/summ ... ntGame/ | pattern | tst.js:93:1:95:2 | app.get ... O");\\n}) | here |
8-
| tst.js:91:9:91:40 | /\\/summ ... ntGame/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/SUMMONERBYNAME' will bypass the middleware. | tst.js:91:9:91:40 | /\\/summ ... ntGame/ | pattern | tst.js:93:1:95:2 | app.get ... O");\\n}) | here |

0 commit comments

Comments
 (0)