Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Golang : Improvements to Golang SSRF query #97

Closed
porcupineyhairs opened this issue May 21, 2020 · 5 comments
Closed

Golang : Improvements to Golang SSRF query #97

porcupineyhairs opened this issue May 21, 2020 · 5 comments
Labels

Comments

@porcupineyhairs
Copy link

@porcupineyhairs porcupineyhairs commented May 21, 2020

CVE

This query has not been tested against all lgtm projects. So, there is no CVE found using this PR.

Report

This query detects instances where untrusted user input may be used to instantiate a server side connection to an attacker controlled node. This query adds websocket sinks for the following 3rd party libraries.

  1. gorilla websocket (11.7k stars)
  2. golang/x/net/websocket (2.1k stars)
  3. gobwas websocket (3.1k stars)
  4. nhooyr.io websocket (1.3k stars)

Apart from these, the initial version of this PR also included support for the net/http standard library's Do/ Get/ Post etc. methods. These were afterwards removed as there was an existing query detecting SSRF which included these sinks.

This query also added checks for three type of sanitizers. All of them based on the OpenURL redirect query.

  1. An equality check of the form
    if input == "localhost"{ //sink }
  2. A regex check
    if m, _ := regexp.MatchString("ws://localhost:12345/*", untrustedInput); m { // sink }
  3. A function of the form isLocalUrl, isValidRedirect.

The now merged PR also include library tests as well as query tests and a qhelp file along with well documented code.

Link to the PR:[github/codeql-go#107]

@porcupineyhairs
Copy link
Author

@porcupineyhairs porcupineyhairs commented Jun 8, 2020

I can't find a golang cve for this. However, I did come across this issue which is very similar to what this query detects. I can see a comment claiming that a request param is used for initiating a WebSocket connection. But it is difficult to say for sure as the corresponding h1 report and PR are non public.

@ghsecuritylab
Copy link
Collaborator

@ghsecuritylab ghsecuritylab commented Aug 11, 2020

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@xcorail
Copy link
Contributor

@xcorail xcorail commented Aug 11, 2020

Created Hackerone report 956296 for bounty 237619 : [97] Golang : Improvements to Golang SSRF query 🎉

@ghsecuritylab
Copy link
Collaborator

@ghsecuritylab ghsecuritylab commented Aug 11, 2020

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@xcorail xcorail closed this Aug 11, 2020
@porcupineyhairs
Copy link
Author

@porcupineyhairs porcupineyhairs commented Aug 11, 2020

Thanks a lot for the bounty!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.