JS: recognize sanitizing slashes in URL redirection queries#436
Merged
Conversation
xiemaisi
previously approved these changes
Nov 8, 2018
ghost
previously approved these changes
Nov 8, 2018
ghost
left a comment
There was a problem hiding this comment.
Also LGTM, but I would like clarification on the regexp.
Contributor
Author
|
Performance goes both ways. I suspect the difference is that there are more sinks now (unreachable due to the sanitizer), so the exploratory flow steps reach a larger graph. |
Contributor
Author
|
I had also missed that the SSRF query depends on |
xiemaisi
previously approved these changes
Nov 13, 2018
xiemaisi
previously approved these changes
Nov 13, 2018
|
Conflicts again. |
a2bcc53 to
c06c9a0
Compare
xiemaisi
approved these changes
Nov 19, 2018
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The sanitizer for our URL redirection queries is now more precise, so we no longer get false positives from things like:
The tricky thing about slashes is that they are used in multiple parts of the URL:
The attacker must not be able to control the hostname, so we need to make sure a slash cannot be interpreted as (1). A redirection such as
is unsafe because it can lead to
//evil.com.I've also removed the
Sink.maybeNonLocal()predicate from ServerSideUrlRedirect as it appears to implement the same sanitizer as the sanitizing prefix.I'll run an evaluation, but just putting up for review now.