Skip to content

Commit 52b650a

Browse files
gagliardettogagliardetto
committed
Add AllowOriginHeaderWrite and AllowCredentialsHeaderWrite classes
1 parent e92738a commit 52b650a

File tree

1 file changed

+21
-11
lines changed

1 file changed

+21
-11
lines changed

ql/src/experimental/CWE-942/CorsMisconfiguration.ql

Lines changed: 21 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,20 @@ string headerAllowOrigin() { result = "Access-Control-Allow-Origin".toLowerCase(
3636
*/
3737
string headerAllowCredentials() { result = "Access-Control-Allow-Credentials".toLowerCase() }
3838

39+
/**
40+
* An `Access-Control-Allow-Origin` header write.
41+
*/
42+
class AllowOriginHeaderWrite extends HTTP::HeaderWrite {
43+
AllowOriginHeaderWrite() { this.getHeaderName() = headerAllowOrigin() }
44+
}
45+
46+
/**
47+
* An `Access-Control-Allow-Credentials` header write.
48+
*/
49+
class AllowCredentialsHeaderWrite extends HTTP::HeaderWrite {
50+
AllowCredentialsHeaderWrite() { this.getHeaderName() = headerAllowCredentials() }
51+
}
52+
3953
/**
4054
* A taint-tracking configuration for reasoning about when an UntrustedFlowSource
4155
* flows to a HeaderWrite that writes an `Access-Control-Allow-Origin` header's value.
@@ -45,9 +59,7 @@ class FlowsUntrustedToAllowOriginHeader extends TaintTracking::Configuration {
4559

4660
override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
4761

48-
predicate isSink(DataFlow::Node sink, HTTP::HeaderWrite hw) {
49-
hw.getHeaderName() = headerAllowOrigin() and sink = hw.getValue()
50-
}
62+
predicate isSink(DataFlow::Node sink, AllowOriginHeaderWrite hw) { sink = hw.getValue() }
5163

5264
override predicate isSanitizer(DataFlow::Node node) {
5365
exists(ControlFlow::ConditionGuardNode cgn |
@@ -65,9 +77,8 @@ class FlowsUntrustedToAllowOriginHeader extends TaintTracking::Configuration {
6577
* also has another HeaderWrite that sets a `Access-Control-Allow-Credentials`
6678
* header to `true`.
6779
*/
68-
predicate allowCredentialsIsSetToTrue(HTTP::HeaderWrite allowOriginHW) {
69-
exists(HTTP::HeaderWrite allowCredentialsHW |
70-
allowCredentialsHW.getHeaderName() = headerAllowCredentials() and
80+
predicate allowCredentialsIsSetToTrue(AllowOriginHeaderWrite allowOriginHW) {
81+
exists(AllowCredentialsHeaderWrite allowCredentialsHW |
7182
allowCredentialsHW.getHeaderValue().toLowerCase() = "true"
7283
|
7384
allowOriginHW.getResponseWriter() = allowCredentialsHW.getResponseWriter()
@@ -79,7 +90,7 @@ predicate allowCredentialsIsSetToTrue(HTTP::HeaderWrite allowOriginHW) {
7990
* UntrustedFlowSource.
8091
* The `message` parameter is populated with the warning message to be returned by the query.
8192
*/
82-
predicate flowsFromUntrustedToAllowOrigin(HTTP::HeaderWrite allowOriginHW, string message) {
93+
predicate flowsFromUntrustedToAllowOrigin(AllowOriginHeaderWrite allowOriginHW, string message) {
8394
exists(FlowsUntrustedToAllowOriginHeader cfg, DataFlow::PathNode source, DataFlow::PathNode sink |
8495
cfg.hasFlowPath(source, sink) and
8596
cfg.isSink(sink.getNode(), allowOriginHW)
@@ -94,8 +105,7 @@ predicate flowsFromUntrustedToAllowOrigin(HTTP::HeaderWrite allowOriginHW, strin
94105
* Holds if the provided `allowOriginHW` HeaderWrite is for a `Access-Control-Allow-Origin`
95106
* header and the value is set to `null`.
96107
*/
97-
predicate allowOriginIsNull(HTTP::HeaderWrite allowOriginHW, string message) {
98-
allowOriginHW.getHeaderName() = headerAllowOrigin() and
108+
predicate allowOriginIsNull(AllowOriginHeaderWrite allowOriginHW, string message) {
99109
allowOriginHW.getHeaderValue().toLowerCase() = "null" and
100110
message =
101111
headerAllowOrigin() + " header is set to `" + allowOriginHW.getHeaderValue() + "`, and " +
@@ -157,7 +167,7 @@ class FlowsFromUntrusted extends TaintTracking::Configuration {
157167
/**
158168
* Holds if the provided `dst` is also destination of a `UntrustedFlowSource`.
159169
*/
160-
predicate flowsToGuardedByCheckOnUntrusted(HTTP::HeaderWrite allowOriginHW) {
170+
predicate flowsToGuardedByCheckOnUntrusted(AllowOriginHeaderWrite allowOriginHW) {
161171
exists(
162172
FlowsFromUntrusted cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
163173
ControlFlow::ConditionGuardNode cgn
@@ -168,7 +178,7 @@ predicate flowsToGuardedByCheckOnUntrusted(HTTP::HeaderWrite allowOriginHW) {
168178
)
169179
}
170180

171-
from HTTP::HeaderWrite allowOriginHW, string message
181+
from AllowOriginHeaderWrite allowOriginHW, string message
172182
where
173183
allowCredentialsIsSetToTrue(allowOriginHW) and
174184
(

0 commit comments

Comments
 (0)