Skip to content

JS: recognize sanitizing slashes in URL redirection queries #436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 19, 2018
Merged

JS: recognize sanitizing slashes in URL redirection queries #436

merged 4 commits into from
Nov 19, 2018

Conversation

asger-semmle
Copy link
Contributor

The sanitizer for our URL redirection queries is now more precise, so we no longer get false positives from things like:

res.redirect("/users/" + req.params.id);

The tricky thing about slashes is that they are used in multiple parts of the URL:

  1. separating the (optional) scheme from the hostname
  2. separating the hostname from the path
  3. occurring inside the path, query, and/or fragment

The attacker must not be able to control the hostname, so we need to make sure a slash cannot be interpreted as (1). A redirection such as

res.redirect("/" + req.query.redirect)

is unsafe because it can lead to //evil.com.

I've also removed the Sink.maybeNonLocal() predicate from ServerSideUrlRedirect as it appears to implement the same sanitizer as the sanitizing prefix.

I'll run an evaluation, but just putting up for review now.

@asger-semmle asger-semmle requested a review from a team as a code owner November 8, 2018 11:22
xiemaisi
xiemaisi previously approved these changes Nov 8, 2018
View reviewed changes
ghost
ghost previously approved these changes Nov 8, 2018
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also LGTM, but I would like clarification on the regexp.

@asger-semmle
Copy link
Contributor Author

Performance goes both ways. I suspect the difference is that there are more sinks now (unreachable due to the sanitizer), so the exploratory flow steps reach a larger graph.

@asger-semmle asger-semmle dismissed stale reviews from ghost and xiemaisi via e1838d4 November 9, 2018 09:47
@asger-semmle
Copy link
Contributor Author

I had also missed that the SSRF query depends on sanitizingPrefixEdge, and for SSRF the path is also considered vulnerable. So I've reverted sanitizingPrefixEdge to its original behaviour and introduced hostnameSanitizingPrefixEdge instead.

@xiemaisi xiemaisi added the JS label Nov 13, 2018
xiemaisi
xiemaisi previously approved these changes Nov 13, 2018
View reviewed changes
xiemaisi
xiemaisi previously approved these changes Nov 13, 2018
View reviewed changes
@xiemaisi
Copy link

Conflicts again.

@semmle-qlci semmle-qlci merged commit 9e4aeb3 into github:master Nov 19, 2018
cklin pushed a commit that referenced this pull request May 23, 2022
@smowton
Merge pull request #436 from sauyon/InVisionApp/main
5647a47 
Refactor HTTP tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiemaisi xiemaisi xiemaisi approved these changes

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@asger-semmle @xiemaisi @semmle-qlci