codeql/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql at main · github/codeql · GitHub

Name: codeql/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql at main · github/codeql · GitHub
Rating: 4.5 (4635 reviews)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
/**
 * @name Insecure URL whitelist
 * @description URL whitelists that are too permissive can cause security vulnerabilities.
 * @kind problem
 * @problem.severity warning
 * @security-severity 7.5
 * @precision very-high
 * @id js/angular/insecure-url-whitelist
 * @tags security
 * frameworks/angularjs
 * external/cwe/cwe-183
 * external/cwe/cwe-625
 */

import javascript

/**
 * Holds if `setupCall` is a call to `$sceDelegateProvider.resourceUrlWhitelist` with
 * argument `list`.
 */
predicateisResourceUrlWhitelist(
 DataFlow::MethodCallNodesetupCall, DataFlow::ArrayCreationNodelist
){
exists(AngularJS::ServiceReferenceservice|
service.getName()="$sceDelegateProvider"and
setupCall=service.getAMethodCall("resourceUrlWhitelist")and
list.flowsTo(setupCall.getArgument(0))
)
}

/**
 * An entry in a resource URL whitelist.
 */
classResourceUrlWhitelistEntryextendsExpr{
 DataFlow::MethodCallNodesetupCall;
stringpattern;

ResourceUrlWhitelistEntry(){
exists(DataFlow::ArrayCreationNodewhitelist|
isResourceUrlWhitelist(setupCall,whitelist)and
this=whitelist.getAnElement().asExpr()and
this.mayHaveStringValue(pattern)
)
}

/**
 * Gets the method call that sets up this whitelist.
 */
 DataFlow::MethodCallNodegetSetupCall(){result=setupCall}

/**
 * Holds if this expression is insecure to use in an URL pattern whitelist due
 * to the reason given by `explanation`.
 */
predicateisInsecure(stringexplanation){
exists(stringcomponentName,stringcomponent|
exists(intcomponentNumber|
componentName="scheme"andcomponentNumber=1
or
componentName="domain"andcomponentNumber=2
or
componentName="TLD"andcomponentNumber=4
|
component=pattern.regexpCapture("(.*?)://(.*?(\\.(.*?))?)(:\\d+)?(/.*)?",componentNumber)
)and
explanation="the "+componentName+" '"+component+"' is insecurely specified"
|
componentName="scheme"andcomponent.matches("%*%")
or
componentName="domain"andcomponent.matches("%**%")
or
componentName="TLD"andcomponent="*"
)
}
}

fromResourceUrlWhitelistEntryentry, DataFlow::MethodCallNodesetupCall,stringexplanation
where
entry.isInsecure(explanation)and
setupCall=entry.getSetupCall()
selectsetupCall,"$@ is not a secure whitelist entry, because "+explanation+".",entry,
entry.toString()