codeql/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql at 3e898487e8d13e1444e3e4e58a03ed910dd54dca · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
/**
 * @name Incomplete multi-character sanitization
 * @description A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence.
 * @kind problem
 * @problem.severity warning
 * @precision high
 * @id js/incomplete-multi-character-sanitization
 * @tags correctness
 *       security
 *       external/cwe/cwe-116
 *       external/cwe/cwe-20
 */

import javascript
import semmle.javascript.security.IncompleteBlacklistSanitizer

predicate isDangerous(RegExpTerm t) {
  // path traversals
  t.getAMatchedString() = ["..", "/..", "../"]
  or
  exists(RegExpTerm start |
    start = t.(RegExpSequence).getAChild() and
    start.getConstantValue() = "." and
    start.getSuccessor().getConstantValue() = "." and
    not [start.getPredecessor(), start.getSuccessor().getSuccessor()].getConstantValue() = "."
  )
  or
  // HTML comments
  t.getAMatchedString() = "<!--"
  or
  // HTML scripts
  t.getAMatchedString().regexpMatch("(?i)<script.*")
  or
  exists(RegExpSequence seq | seq = t |
    t.getChild(0).getConstantValue() = "<" and
    // the `cript|scrip` case has been observed in the wild, not sure what the goal of that pattern is...
    t
        .getChild(0)
        .getSuccessor+()
        .getAMatchedString()
        .regexpMatch("(?i)iframe|script|cript|scrip|style")
  )
  or
  // HTML attributes
  exists(string dangerousPrefix | dangerousPrefix = ["ng-", "on"] |
    t.getAMatchedString().regexpMatch("(i?)" + dangerousPrefix + "[a-z]+")
    or
    exists(RegExpTerm start, RegExpTerm event | start = t.getAChild() |
      start.getConstantValue().regexpMatch("(?i)[^a-z]*" + dangerousPrefix) and
      event = start.getSuccessor() and
      exists(RegExpTerm quantified | quantified = event.(RegExpQuantifier).getChild(0) |
        quantified
            .(RegExpCharacterClass)
            .getAChild()
            .(RegExpCharacterRange)
            .isRange(["a", "A"], ["z", "Z"]) or
        [quantified, quantified.(RegExpRange).getAChild()].(RegExpCharacterClassEscape).getValue() =
          "w"
      )
    )
  )
}

from StringReplaceCall replace, RegExpTerm regexp, RegExpTerm dangerous
where
  [replace.getRawReplacement(), replace.getCallback(1).getAReturn()].mayHaveStringValue("") and
  replace.isGlobal() and
  regexp = replace.getRegExp().getRoot() and
  dangerous.getRootTerm() = regexp and
  isDangerous(dangerous) and
  // avoid anchored terms
  not exists(RegExpAnchor a | a.getRootTerm() = regexp) and
  // avoid flagging wrappers
  not (
    dangerous instanceof RegExpAlt or
    dangerous instanceof RegExpGroup
  ) and
  // don't flag replace operations in a loop
  not replace.getReceiver().getALocalSource() = replace
select replace, "The replaced string may still contain a substring that starts matching at $@.",
  dangerous, dangerous.toString()