add encodeURIComponent as a sanitizer for request-forgery

erik-krogh · erik-krogh · commit 3cece50f78be · 2023-01-23T13:53:53.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -81,4 +81,14 @@ module RequestForgery {
 
     override string getKind() { result = "endpoint" }
   }
+
+  private import Xss as Xss
+
+  /**
+   * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for request forgery.
+   * These calls will escape "/" to "%2F", which is not a problem for request forgery.
+   * The result from calling `encodeURI` or `encodeURIComponent` is not a valid URL, and only makes sense
+   * as a part of a URL.
+   */
+  class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer { }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -101,12 +101,6 @@ nodes
 | serverSide.js:130:37:130:43 | tainted |
 | serverSide.js:131:15:131:19 | myUrl |
 | serverSide.js:131:15:131:19 | myUrl |
-| serverSide.js:133:9:133:72 | myEncodedUrl |
-| serverSide.js:133:24:133:72 | `${some ... nted)}` |
-| serverSide.js:133:44:133:70 | encodeU ... ainted) |
-| serverSide.js:133:63:133:69 | tainted |
-| serverSide.js:134:15:134:26 | myEncodedUrl |
-| serverSide.js:134:15:134:26 | myEncodedUrl |
 edges
 | serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted |
 | serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted |
@@ -194,7 +188,6 @@ edges
 | serverSide.js:123:9:123:52 | tainted | serverSide.js:127:14:127:20 | tainted |
 | serverSide.js:123:9:123:52 | tainted | serverSide.js:127:14:127:20 | tainted |
 | serverSide.js:123:9:123:52 | tainted | serverSide.js:130:37:130:43 | tainted |
-| serverSide.js:123:9:123:52 | tainted | serverSide.js:133:63:133:69 | tainted |
 | serverSide.js:123:19:123:42 | url.par ... , true) | serverSide.js:123:19:123:48 | url.par ... ).query |
 | serverSide.js:123:19:123:48 | url.par ... ).query | serverSide.js:123:19:123:52 | url.par ... ery.url |
 | serverSide.js:123:19:123:52 | url.par ... ery.url | serverSide.js:123:9:123:52 | tainted |
@@ -204,11 +197,6 @@ edges
 | serverSide.js:130:9:130:45 | myUrl | serverSide.js:131:15:131:19 | myUrl |
 | serverSide.js:130:17:130:45 | `${some ... inted}` | serverSide.js:130:9:130:45 | myUrl |
 | serverSide.js:130:37:130:43 | tainted | serverSide.js:130:17:130:45 | `${some ... inted}` |
-| serverSide.js:133:9:133:72 | myEncodedUrl | serverSide.js:134:15:134:26 | myEncodedUrl |
-| serverSide.js:133:9:133:72 | myEncodedUrl | serverSide.js:134:15:134:26 | myEncodedUrl |
-| serverSide.js:133:24:133:72 | `${some ... nted)}` | serverSide.js:133:9:133:72 | myEncodedUrl |
-| serverSide.js:133:44:133:70 | encodeU ... ainted) | serverSide.js:133:24:133:72 | `${some ... nted)}` |
-| serverSide.js:133:63:133:69 | tainted | serverSide.js:133:44:133:70 | encodeU ... ainted) |
 #select
 | serverSide.js:18:5:18:20 | request(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:18:13:18:19 | tainted | The $@ of this request depends on a $@. | serverSide.js:18:13:18:19 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
 | serverSide.js:20:5:20:24 | request.get(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:20:17:20:23 | tainted | The $@ of this request depends on a $@. | serverSide.js:20:17:20:23 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
@@ -234,4 +222,3 @@ edges
 | serverSide.js:117:20:117:30 | new ws(url) | serverSide.js:115:25:115:35 | request.url | serverSide.js:117:27:117:29 | url | The $@ of this request depends on a $@. | serverSide.js:117:27:117:29 | url | URL | serverSide.js:115:25:115:35 | request.url | user-provided value |
 | serverSide.js:125:5:128:6 | axios({ ... \\n    }) | serverSide.js:123:29:123:35 | req.url | serverSide.js:127:14:127:20 | tainted | The $@ of this request depends on a $@. | serverSide.js:127:14:127:20 | tainted | URL | serverSide.js:123:29:123:35 | req.url | user-provided value |
 | serverSide.js:131:5:131:20 | axios.get(myUrl) | serverSide.js:123:29:123:35 | req.url | serverSide.js:131:15:131:19 | myUrl | The $@ of this request depends on a $@. | serverSide.js:131:15:131:19 | myUrl | URL | serverSide.js:123:29:123:35 | req.url | user-provided value |
-| serverSide.js:134:5:134:27 | axios.g ... dedUrl) | serverSide.js:123:29:123:35 | req.url | serverSide.js:134:15:134:26 | myEncodedUrl | The $@ of this request depends on a $@. | serverSide.js:134:15:134:26 | myEncodedUrl | URL | serverSide.js:123:29:123:35 | req.url | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
@@ -131,5 +131,5 @@ var server2 = http.createServer(function(req, res) {
     axios.get(myUrl); // NOT OK
 
     var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; 
-    axios.get(myEncodedUrl); // OK - but still flagged [INCONSISTENCY]
+    axios.get(myEncodedUrl); // OK
 })

Original file line number	Diff line number	Diff line change
`@@ -81,4 +81,14 @@ module RequestForgery {`
`81`	`81`
`82`	`82`	`override string getKind() { result = "endpoint" }`
`83`	`83`	`}`
	`84`	`+`
	`85`	`+ private import Xss as Xss`
	`86`	`+`
	`87`	`+ /**`
	`88`	+ * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for request forgery.
	`89`	`+ * These calls will escape "/" to "%2F", which is not a problem for request forgery.`
	`90`	+ * The result from calling `encodeURI` or `encodeURIComponent` is not a valid URL, and only makes sense
	`91`	`+ * as a part of a URL.`
	`92`	`+ */`
	`93`	`+ class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer { }`
`84`	`94`	`}`