JS: add "host" as a sink for js/request-forgery

Esben Sparre Andreasen · Esben Sparre Andreasen · commit c6b4e29b93a1 · 2018-12-17T10:32:30.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgery.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgery.qll
@@ -72,16 +72,20 @@ module RequestForgery {
 
     ClientRequest request;
 
+    string kind;
+
     ClientRequestUrlAsSink() {
-      this = request.getUrl()
+      this = request.getUrl() and kind = "URL" or
+      this = request.getHost() and kind = "host"
     }
 
     override DataFlow::Node getARequest() {
       result = request
     }
 
     override string getKind() {
-      result = "URL"
+      result = kind
     }
+
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -13,13 +13,15 @@ nodes
 | tst.js:26:36:26:42 | tainted |
 | tst.js:28:13:28:43 | "http:/ ... tainted |
 | tst.js:28:37:28:43 | tainted |
+| tst.js:32:34:32:40 | tainted |
 edges
 | tst.js:12:9:12:52 | tainted | tst.js:16:13:16:19 | tainted |
 | tst.js:12:9:12:52 | tainted | tst.js:18:17:18:23 | tainted |
 | tst.js:12:9:12:52 | tainted | tst.js:21:19:21:25 | tainted |
 | tst.js:12:9:12:52 | tainted | tst.js:24:25:24:31 | tainted |
 | tst.js:12:9:12:52 | tainted | tst.js:26:36:26:42 | tainted |
 | tst.js:12:9:12:52 | tainted | tst.js:28:37:28:43 | tainted |
+| tst.js:12:9:12:52 | tainted | tst.js:32:34:32:40 | tainted |
 | tst.js:12:19:12:42 | url.par ... , true) | tst.js:12:19:12:48 | url.par ... ).query |
 | tst.js:12:19:12:48 | url.par ... ).query | tst.js:12:19:12:52 | url.par ... ery.url |
 | tst.js:12:19:12:52 | url.par ... ery.url | tst.js:12:9:12:52 | tainted |
@@ -34,3 +36,4 @@ edges
 | tst.js:24:5:24:32 | request ... ainted) | tst.js:12:29:12:35 | req.url | tst.js:24:13:24:31 | "http://" + tainted | The $@ of this request depends on $@. | tst.js:24:13:24:31 | "http://" + tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
 | tst.js:26:5:26:43 | request ... ainted) | tst.js:12:29:12:35 | req.url | tst.js:26:13:26:42 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:26:13:26:42 | "http:/ ... tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
 | tst.js:28:5:28:44 | request ... ainted) | tst.js:12:29:12:35 | req.url | tst.js:28:13:28:43 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:28:13:28:43 | "http:/ ... tainted | URL | tst.js:12:29:12:35 | req.url | a user-provided value |
+| tst.js:32:5:32:42 | http.ge ... inted}) | tst.js:12:29:12:35 | req.url | tst.js:32:34:32:40 | tainted | The $@ of this request depends on $@. | tst.js:32:34:32:40 | tainted | host | tst.js:12:29:12:35 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/tst.js b/javascript/ql/test/query-tests/Security/CWE-918/tst.js
@@ -28,4 +28,6 @@ var server = http.createServer(function(req, res) {
     request("http://example.com/" + tainted); // NOT OK
 
     request("http://example.com/?" + tainted); // OK
+
+    http.get(relativeUrl, {host: tainted}); // NOT OK
 })

Original file line number	Diff line number	Diff line change
`@@ -72,16 +72,20 @@ module RequestForgery {`
`72`	`72`
`73`	`73`	`ClientRequest request;`
`74`	`74`
	`75`	`+ string kind;`
	`76`	`+`
`75`	`77`	`ClientRequestUrlAsSink() {`
`76`		`- this = request.getUrl()`
	`78`	`+ this = request.getUrl() and kind = "URL" or`
	`79`	`+ this = request.getHost() and kind = "host"`
`77`	`80`	`}`
`78`	`81`
`79`	`82`	`override DataFlow::Node getARequest() {`
`80`	`83`	`result = request`
`81`	`84`	`}`
`82`	`85`
`83`	`86`	`override string getKind() {`
`84`		`- result = "URL"`
	`87`	`+ result = kind`
`85`	`88`	`}`
	`89`	`+`
`86`	`90`	`}`
`87`	`91`	`}`