Update HTTP.qll by gagliardetto · Pull Request #95 · github/codeql-go

gagliardetto · 2020-04-13T09:22:53Z

Add more fields to UserControlledRequestField(), and more methods to UserControlledRequestMethod() on "net/http".Request.

Example server

package main

import (
	"fmt"
	"log"
	"net/http"
)

func main() {

	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		fmt.Println("r.Host", r.Host)
		fmt.Println("r.Method", r.Method)
		fmt.Println("r.RequestURI", r.RequestURI)

		fmt.Println("r.BasicAuth()")
		user, password, _ := r.BasicAuth()
		fmt.Println(fmt.Sprintf("username %q, password %q", user, password))

		fmt.Println("---")
	})
	fmt.Println("running server on :8080")
	log.Fatal(http.ListenAndServe(":8080", nil))
}

Example request

printf "H&&\$ /\$(echo\u00A0hello\u00A0world) HTTP/1.0\r\nHost: lite\$(echo;hello;world)).whatever.com\r\nAuthorization: Basic JChlY2hvIGhlbGxvIHdvcmxkKTokKGVjaG8gd29ybGQpCg==\r\n\r\n" | nc 127.0.0.1 8080

Server log of this request:

r.Host lite$(echo;hello;world)).whatever.com
r.Method H&&$
r.RequestURI /$(echo hello world)
r.BasicAuth()
username "$(echo hello world)", password "$(echo world)\n"
---

Add more fields to `UserControlledRequestField()`, and more methods to `UserControlledRequestMethod()` on `"net/http".Request`.

max-schaefer · 2020-04-14T07:59:02Z

@sauyon, could you take a look at this? You've most recently been working in these parts.

gagliardetto · 2020-04-14T08:02:03Z

I'm going to add all Golang web frameworks, one at a time; best starting point is net/http

max-schaefer · 2020-04-14T08:05:51Z

-        fieldName = "URL"
+        fieldName = "URL" or
+        fieldName = "Host" or
+        fieldName = "Method" or


While this one is technically under the attacker's control, it'll have to be a valid HTTP verb, so not too interesting from a taint-tracking perspective.

HTTP verb validation is kind of out of net/http package scope; the verb will be validated only if the developer will add the validation (third party code).

Catch-all endpoints are not uncommon.

(again, see example)

When you say "see example", what are you referring to?

I'm referring to my first comment in this PR.

Oh, you mean the PR description. Could you turn that into a test, please?

Sure. Shall I put the new fields/method inside here: https://github.com/github/codeql-go/blob/master/ql/test/library-tests/semmle/go/frameworks/HTTP/main.go ?

Or you had another kind of test in mind?

sauyon

Hey! Sorry about the delay, I've been running some tests because I'm somewhat worried about this causing false positives: while catch-all endpoints may be relatively common, we have no way of knowing whether the source is actually from a catch-all endpoint or not with the way the library is structured. That said, perhaps the pattern of using the host or request path in some sensitive way is rare enough that this is a non-issue.

Specifically for our open redirect query, though, an evaluation (internal link) shows a false positive on uber/cockroach, which represents a class of false positives I would like for you to fix; here's the result on LGTM (it's the one in pprofui/server.go).

That should just be a matter of modifying the UntrustedFlowAsSource class in (ql/src/semmle/go/https://github.com/github/codeql-go/blob/master/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll)[https://github.com/github/codeql-go/blob/master/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll].

sauyon · 2020-04-15T07:57:02Z

        methName = "Referer" or
-        methName = "UserAgent"
+        methName = "UserAgent" or
+        methName = "BasicAuth"     


Suggested change

methName = "BasicAuth"

methName = "BasicAuth"

sauyon · 2020-04-15T08:38:25Z

Re: tests, copying your example server into the tests directory should work (you might have to tweak the name of the main function to get it to build).

Also, I'd like to see a test for the open URL redirect query as well.

gagliardetto · 2020-04-27T10:04:24Z

Sorry for the delay!

while catch-all endpoints may be relatively common, we have no way of knowing whether the source is actually from a catch-all endpoint or not with the way the library is structured

You are right. While not creating much noise for flows to sinks such as command execution, Method can create much noise in other cases.

It's probably better to leave it out.

which represents a class of false positives I would like for you to fix

Do you mean adding RequestURI to the ignored fields list in

codeql-go/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll

Lines 43 to 52 in 3a39085

    
           not exists(Field f, string fieldName | 
        
             f.hasQualifiedName("net/http", "Request", fieldName) and 
        
             this = f.getARead() 
        
           | 
        
             fieldName = "Body" or 
        
             fieldName = "GetBody" or 
        
             fieldName = "PostForm" or 
        
             fieldName = "MultipartForm" or 
        
             fieldName = "Header" or 
        
             fieldName = "Trailer"

?

I'd like to see a test for the open URL redirect query as well.

You mean adding field read examples here https://github.com/github/codeql-go/blob/master/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.go ?

ghost

I think the Method,URI and Host fields should not be included by default. See my comment below.

ghost · 2020-04-28T18:56:28Z

@@ -0,0 +1,22 @@
+package main


The fields here can be merged with main.go There's no need really to write the same boilerplate code here again.

sauyon · 2020-04-29T06:46:23Z

Do you mean adding RequestURI to the ignored fields list in

codeql-go/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll

Lines 43 to 52 in 3a39085

not exists(Field f, string fieldName |

f.hasQualifiedName("net/http", "Request", fieldName) and

this = f.getARead()

|

fieldName = "Body" or

fieldName = "GetBody" or

fieldName = "PostForm" or

fieldName = "MultipartForm" or

fieldName = "Header" or

fieldName = "Trailer"

?

Yep 👍

I'd like to see a test for the open URL redirect query as well.

You mean adding field read examples here https://github.com/github/codeql-go/blob/master/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.go ?

Would like it here, specifically for the fields that you add to the above.

max-schaefer · 2020-06-23T06:10:50Z

@gagliardetto, are you still working on this?

gagliardetto · 2020-06-23T19:02:18Z

I'll reopen this in the future.

max-schaefer · 2020-06-23T19:16:04Z

Sounds good.

Update HTTP.qll

034f897

Add more fields to `UserControlledRequestField()`, and more methods to `UserControlledRequestMethod()` on `"net/http".Request`.

max-schaefer requested a review from sauyon April 14, 2020 07:58

max-schaefer reviewed Apr 14, 2020

View reviewed changes

Comment thread ql/src/semmle/go/frameworks/HTTP.qll

max-schaefer reviewed Apr 14, 2020

View reviewed changes

sauyon reviewed Apr 15, 2020

View reviewed changes

gagliardetto added 2 commits April 27, 2020 11:51

Add example go code

6965b31

Remove Method field as source

dcf173a

ghost reviewed Apr 28, 2020

View reviewed changes

radeksroda approved these changes May 9, 2020

View reviewed changes

gagliardetto marked this pull request as draft May 9, 2020 06:04

gagliardetto closed this Jun 23, 2020

Conversation

gagliardetto commented Apr 13, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Example server

Example request

Uh oh!

max-schaefer commented Apr 14, 2020

Uh oh!

gagliardetto commented Apr 14, 2020

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sauyon left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sauyon commented Apr 15, 2020

Uh oh!

gagliardetto commented Apr 27, 2020

Uh oh!

ghost left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sauyon commented Apr 29, 2020

Uh oh!

max-schaefer commented Jun 23, 2020

Uh oh!

gagliardetto commented Jun 23, 2020

Uh oh!

max-schaefer commented Jun 23, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

gagliardetto commented Apr 13, 2020 •

edited

Loading