Merge pull request #1 from npesaresi/feature/SSRF

CWE-918

Author: npesaresi

ql/src/experimental/CWE-918/SSRF.go

@@ -0,0 +1,18 @@
+package main
+
+import (
+	"net/http"
+)
+
+func handler(w http.ResponseWriter, req *http.Request) {
+	target := req.FormValue("target")
+
+	// BAD: `target` is controlled by the attacker
+	resp, err := http.Get("https://example.com/current_api/" + target)
+	if err != nil {
+		// error handling
+	}
+
+	// process request response
+	use(resp)
+}

ql/src/experimental/CWE-918/SSRF.qhelp

@@ -0,0 +1,49 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly incorporating user input into an HTTP request without validating the input can facilitate
+server side request forgery attacks, where the attacker essentially controls the request.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To guard against server side request forgery, it is advisable to avoid putting user input directly into a
+network request. If using user input is necessary, then is mandatory to validate them. Only allow numeric and alphanumeric values.
+URL encoding is not a solution in certain scenarios, such as, an architecture build over NGINX proxies.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows an HTTP request parameter being used directly in a URL request without
+validating the input, which facilitates an SSRF attack. The request <code>http.Get("https://example.com/current_api/"+target)</code> is
+vulnerable since attackers can choose the value of <code>target</code> to be anything they want. For
+instance, the attacker can choose <code>"../super_secret_api"</code> as the target, causing the
+URL to become <code>"https://example.com/super_secret_api"</code>.
+</p>
+
+<p>
+A request to <code>https://example.com/super_secret_api</code> may be problematic if that api is not
+meant to be directly accessible from the attacker's machine.
+</p>
+
+<sample src="SSRF.go"/>
+
+<p>
+One way to remedy the problem is to validate the user input to only allow alphanumeric values:
+</p>
+
+<sample src="SSRFGood.go"/>
+</example>
+
+<references>
+
+<li>OWASP: <a href="https://www.owasp.org/www-community/attacks/Server_Side_Request_Forgery">SSRF</a></li>
+
+</references>
+</qhelp>

ql/src/experimental/CWE-918/SSRF.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Uncontrolled data used in network request
+ * @description Sending network requests with user-controlled data allows for request forgery attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import go
+import SSRF.SSRF
+import DataFlow::PathGraph
+
+from
+  SSRF::Configuration cfg, DataFlow::PathNode source,
+  DataFlow::PathNode sink, DataFlow::Node request
+where
+  cfg.hasFlowPath(source, sink) and
+  request = sink.getNode().(SSRF::Sink).getARequest()
+select request, source, sink, "The URL of this request depends on a user-provided value"

ql/src/experimental/CWE-918/SSRF.qll

@@ -0,0 +1,172 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about request forgery
+ * (SSRF) vulnerabilities.
+ */
+
+import go
+
+/**
+ * Provides a taint-tracking configuration for reasoning about request forgery
+ * (SSRF) vulnerabilities.
+ */
+module SSRF {
+  import semmle.go.frameworks.Gin
+  import SSRF.validator
+  import semmle.go.security.UrlConcatenation
+  import semmle.go.dataflow.barrierguardutil.RegexpCheck
+  import semmle.go.dataflow.Properties
+
+  //#region config
+  /**
+   * A taint-tracking configuration for reasoning about request forgery.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "SSRF" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      // propagate to a URL when its host is assigned to
+      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
+      )
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node) or
+      node instanceof Sanitizer
+    }
+
+    override predicate isSanitizerOut(DataFlow::Node node) {
+      super.isSanitizerOut(node) or
+      node instanceof SanitizerEdge
+    }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      super.isSanitizerGuard(guard) or guard instanceof SanitizerGuard
+    }
+  }
+
+  //#endregion
+  //#region abstract classes
+  /** A data flow source for request forgery vulnerabilities. */
+  abstract class Source extends DataFlow::Node { }
+
+  /** A data flow sink for request forgery vulnerabilities. */
+  abstract class Sink extends DataFlow::Node {
+    /** Gets a request that uses this sink. */
+    abstract DataFlow::Node getARequest();
+
+    /**
+     * Gets the name of a part of the request that may be tainted by this sink,
+     * such as the URL or the host.
+     */
+    abstract string getKind();
+  }
+
+  /** A sanitizer for request forgery vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** An outgoing sanitizer edge for request forgery vulnerabilities. */
+  abstract class SanitizerEdge extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for request forgery vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  //#endregion
+  //#region source
+  /**
+   * An user controlled input, considered as a flow source for request forgery.
+   */
+  class UntrustedFlowAsSource extends Source, UntrustedFlowSource { }
+
+  //#endregion
+  //#region sink
+  /**
+   * The URL of an HTTP request, viewed as a sink for request forgery.
+   */
+  private class ClientRequestUrlAsSink extends Sink {
+    HTTP::ClientRequest request;
+
+    ClientRequestUrlAsSink() { this = request.getUrl() }
+
+    override DataFlow::Node getARequest() { result = request }
+
+    override string getKind() { result = "URL" }
+  }
+
+  /**
+   * The URL of a WebSocket request, viewed as a sink for request forgery.
+   */
+  class WebSocketCallAsSink extends Sink {
+    WebSocketRequestCall request;
+
+    WebSocketCallAsSink() { this = request.getRequestUrl() }
+
+    override DataFlow::Node getARequest() { result = request }
+
+    override string getKind() { result = "WebSocket URL" }
+  }
+
+  //#endregion
+  //#region sanitizers
+  /**
+   * Result value of prepending a string that prevents any value from controlling the
+   * host of a URL.
+   */
+  private class PathSanitizer extends SanitizerEdge {
+    PathSanitizer() { sanitizingPrefixEdge(this, _) }
+  }
+
+  /**
+   * A call to a regexp match function, considered as a barrier guard for sanitizing untrusted URLs.
+   *
+   * This is overapproximate: we do not attempt to reason about the correctness of the regexp.
+   */
+  class RegexpCheckAsBarrierGuard extends RegexpCheck, SanitizerGuard { }
+
+  /**
+   * An equality check comparing a data-flow node against a constant string, considered as
+   * a barrier guard for sanitizing untrusted URLs.
+   */
+  class EqualityAsSanitizerGuard extends SanitizerGuard, DataFlow::EqualityTestNode {
+    DataFlow::Node url;
+
+    EqualityAsSanitizerGuard() {
+      exists(this.getAnOperand().getStringValue()) and 
+      url = this.getAnOperand()
+    }
+
+    override predicate checks(Expr e, boolean outcome) {
+      e = url.asExpr() and outcome = this.getPolarity()
+    }
+  }
+
+  /**
+   * If the tainted variable is a boolean or has numeric type is not possible to exploit a SSRF
+   */
+  class NumSanitizer extends Sanitizer {
+    NumSanitizer() {
+      this.getType() instanceof NumericType or
+      this.getType() instanceof BoolType
+    }
+  }
+
+  /**
+   * When we receive a body from a request, we can use certain tags on our struct's fields to hint
+   * the binding function to run some validations for that field. If these binding functions returns
+   * no error, then we consider these fields safe for SSRF.
+   */
+  class BodySanitizer extends Sanitizer, BodyTagSanitizer {}
+
+  /**
+   * The method Var of package validator is a sanitizer guard only if the check 
+   * of the error binding exists, and the tag to check is one of "alpha", "alphanum", "alphaunicode", "alphanumunicode", "number", "numeric".
+   */
+  class ValidatorAsSanitizer extends SanitizerGuard, ValidatorVarCheck {}
+  //#endregion
+}

ql/src/experimental/CWE-918/SSRFGood.go

@@ -0,0 +1,20 @@
+package main
+
+import (
+	"net/http"
+	"github.com/go-playground/validator"
+)
+
+func handler(w http.ResponseWriter, req *http.Request) {
+	validate := validator.New()
+	target := req.FormValue("target")
+	if validate.Var(target, "alphanum")
+	// GOOD: `target` is alphanumeric
+	resp, err := http.Get("https://example.com/current_api/" + target)
+	if err != nil {
+		// error handling
+	}
+
+	// process request response
+	use(resp)
+}