Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGolang : Improvements to Golang SSRF query #97
Comments
|
I can't find a golang cve for this. However, I did come across this issue which is very similar to what this query detects. I can see a comment claiming that a request param is used for initiating a WebSocket connection. But it is difficult to say for sure as the corresponding h1 report and PR are non public. |
|
Your submission is now in status SecLab finalize. For information, the evaluation workflow is the following: |
|
Created Hackerone report 956296 for bounty 237619 : [97] Golang : Improvements to Golang SSRF query |
|
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
|
Thanks a lot for the bounty!! |
CVE
This query has not been tested against all lgtm projects. So, there is no CVE found using this PR.
Report
This query detects instances where untrusted user input may be used to instantiate a server side connection to an attacker controlled node. This query adds websocket sinks for the following 3rd party libraries.
Apart from these, the initial version of this PR also included support for the
net/httpstandard library'sDo/ Get/ Postetc. methods. These were afterwards removed as there was an existing query detecting SSRF which included these sinks.This query also added checks for three type of sanitizers. All of them based on the OpenURL redirect query.
if input == "localhost"{ //sink }if m, _ := regexp.MatchString("ws://localhost:12345/*", untrustedInput); m { // sink }isLocalUrl,isValidRedirect.The now merged PR also include library tests as well as query tests and a qhelp file along with well documented code.
Link to the PR:[github/codeql-go#107]