Skip to content

JS: add query js/incomplete-url-substring-sanitization#623

Merged
semmle-qlci merged 3 commits into
masterfrom
unknown repository
Dec 6, 2018
Merged

JS: add query js/incomplete-url-substring-sanitization#623
semmle-qlci merged 3 commits into
masterfrom
unknown repository

Conversation

@ghost

@ghost ghost commented Dec 5, 2018

Copy link
Copy Markdown

This adds a query for flagging insecure substring checks for the host of an URL.

The tricky part of the query is to recognize such substring checks precisely. I have experimented with identifying likely URL and hostname values, based on associated variable and property names, but it turns out that it is sufficently precise to recognize strings as likely URLs or host names with a regular expression. We may want to downgrade the precision or sharpen further once we see the results for all of LGTM.com.

Notice that this query excludes non-trivial position checks on result of indexOf calls, so it should not overlap with js/incorrect-suffix-check.

Performance and results are reasonable.

@ghost ghost added the JS label Dec 5, 2018
@ghost ghost self-requested a review as a code owner December 5, 2018 14:25

@asger-semmle asger-semmle left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

One suggestion: if the URL starts with https:// or similar, the TLD check can be omitted as the HTTP protocol should be a strong enough indicator on its own. But I'll leave it up to you if you want to add that.

Comment thread javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql Outdated
@ghost

ghost commented Dec 5, 2018

Copy link
Copy Markdown
Author

HTTP protocol should be a strong enough indicator on its own

I agree, but there are many benign u.indexOf('https://') checks, so I also require a TLD to be present -- that complements the fixed set of TLDs nicely.

@ghost

ghost commented Dec 6, 2018

Copy link
Copy Markdown
Author

Ping @mc-semmle for a doc review.

@ghost ghost requested a review from mchammer01 December 6, 2018 12:42
@ghost ghost mentioned this pull request Dec 6, 2018

@mchammer01 mchammer01 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@esben-semmle - documentation review completed. This looks good.
I've made a couple of minor comments on the qhelp file, and I think that a verb in the @description tag of the ql file needs to be plural. Hope this helps.

Comment thread javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql Outdated
Comment thread javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp Outdated
Comment thread javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp Outdated
@ghost

ghost commented Dec 6, 2018

Copy link
Copy Markdown
Author

@mchammer01

Copy link
Copy Markdown
Contributor

Thanks for your latest updates to the documentation @esben-semmle - good to go from my point of view

@semmle-qlci semmle-qlci merged commit 9e73ed7 into github:master Dec 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants