Conversation
smowton
left a comment
There was a problem hiding this comment.
I think this probably doesn't work as intended at the moment -- waiting to evaluate
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
|
This still seems very broad -- in |
|
Thanks @smowton for the advice. I've made the requested change. Please review. |
smowton
left a comment
There was a problem hiding this comment.
This looks better, though there is one major weakness still: we will only notice getParameter and similar calls that occur directly within doGet. This query is good enough to evaluate, or alternatively you could apply taint to the HttpRequest object and then have getParameter propagate taint onto its return value, thus detecting getParameter occurring within a utility method, the HttpRequest being passed to another method, etc.
Let me know whether you'd like me to evaluate this query as-is, or try to improve it.
smowton
left a comment
There was a problem hiding this comment.
This looks good now; have made some documentation suggestions and started the evaluation.
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
|
As per the suggestion from @m-y-mo, use |
|
Thanks! We'll rerun the query and let you know of our feedback. |
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
Outdated
Show resolved
Hide resolved
java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery2.java
Outdated
Show resolved
Hide resolved
|
Looks like there's a compilation error: |
|
Sorry @aschackmull. I've updated the signature of the ambiguous method so that there will be no conflict. |
When an application uses the GET method to submit sensitive information such as passwords and access tokens, it is transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL therefore increases the risk that they will be captured by an attacker.
This kind of vulnerabilities is categorized as CWE-598: Use of GET Request Method with Sensitive Query Strings.
This query detects GET requests with sensitive information handled by Java EE Servlets.
Please consider to merge the PR. Thanks.