codeql/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll at 7dba2b58684a2ee3dedde0bbe805d73bf86a4de5 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
private import python
private import semmle.python.Concepts
private import semmle.python.ApiGraphs
private import semmle.python.dataflow.new.RemoteFlowSources
private import semmle.python.dataflow.new.DataFlow

/**
 * A data flow source of the client ip obtained according to the remote endpoint identifier specified
 * (`X-Forwarded-For`, `X-Real-IP`, `Proxy-Client-IP`, etc.) in the header.
 *
 * For example: `request.headers.get("X-Forwarded-For")`.
 */
abstract class ClientSuppliedIpUsedInSecurityCheck extends DataFlow::CallCfgNode { }

private class FlaskClientSuppliedIpUsedInSecurityCheck extends ClientSuppliedIpUsedInSecurityCheck {
  FlaskClientSuppliedIpUsedInSecurityCheck() {
    exists(RemoteFlowSource rfs, DataFlow::AttrRead get |
      rfs.getSourceType() = "flask.request" and this.getFunction() = get
    |
      // `get` is a call to request.headers.get or request.headers.get_all or request.headers.getlist
      // request.headers
      get.getObject()
          .(DataFlow::AttrRead)
          // request
          .getObject()
          .getALocalSource() = rfs and
      get.getAttributeName() in ["get", "get_all", "getlist"] and
      get.getObject().(DataFlow::AttrRead).getAttributeName() = "headers" and
      this.getArg(0).asExpr().(StrConst).getText().toLowerCase() = clientIpParameterName()
    )
  }
}

private class DjangoClientSuppliedIpUsedInSecurityCheck extends ClientSuppliedIpUsedInSecurityCheck {
  DjangoClientSuppliedIpUsedInSecurityCheck() {
    exists(RemoteFlowSource rfs, DataFlow::AttrRead get |
      rfs.getSourceType() = "django.http.request.HttpRequest" and this.getFunction() = get
    |
      // `get` is a call to request.headers.get or request.META.get
      // request.headers
      get.getObject()
          .(DataFlow::AttrRead)
          // request
          .getObject()
          .getALocalSource() = rfs and
      get.getAttributeName() = "get" and
      get.getObject().(DataFlow::AttrRead).getAttributeName() in ["headers", "META"] and
      this.getArg(0).asExpr().(StrConst).getText().toLowerCase() = clientIpParameterName()
    )
  }
}

private class TornadoClientSuppliedIpUsedInSecurityCheck extends ClientSuppliedIpUsedInSecurityCheck {
  TornadoClientSuppliedIpUsedInSecurityCheck() {
    exists(RemoteFlowSource rfs, DataFlow::AttrRead get |
      rfs.getSourceType() = "tornado.web.RequestHandler" and this.getFunction() = get
    |
      // `get` is a call to `rfs`.request.headers.get
      // `rfs`.request.headers
      get.getObject()
          .(DataFlow::AttrRead)
          // `rfs`.request
          .getObject()
          .(DataFlow::AttrRead)
          // `rfs`
          .getObject()
          .getALocalSource() = rfs and
      get.getAttributeName() in ["get", "get_list"] and
      get.getObject().(DataFlow::AttrRead).getAttributeName() = "headers" and
      this.getArg(0).asExpr().(StrConst).getText().toLowerCase() = clientIpParameterName()
    )
  }
}

private string clientIpParameterName() {
  result in [
      "x-forwarded-for", "x_forwarded_for", "x-real-ip", "x_real_ip", "proxy-client-ip",
      "proxy_client_ip", "wl-proxy-client-ip", "wl_proxy_client_ip", "http_x_forwarded_for",
      "http-x-forwarded-for", "http_x_forwarded", "http_x_cluster_client_ip", "http_client_ip",
      "http_forwarded_for", "http_forwarded", "http_via", "remote_addr"
    ]
}

/** A data flow sink for ip address forgery vulnerabilities. */
abstract class PossibleSecurityCheck extends DataFlow::Node { }

/** A data flow sink for sql operation. */
private class SqlOperationAsSecurityCheck extends PossibleSecurityCheck {
  SqlOperationAsSecurityCheck() { this = any(SqlExecution e).getSql() }
}

/**
 * A data flow sink for remote client ip comparison.
 *
 * For example: `if not ipAddr.startswith('192.168.') : ...` determine whether the client ip starts
 * with `192.168.`, and the program can be deceived by forging the ip address.
 */
private class CompareSink extends PossibleSecurityCheck {
  CompareSink() {
    exists(Call call |
      call.getFunc().(Attribute).getName() = "startswith" and
      call.getArg(0).(StrConst).getText().regexpMatch(getIpAddressRegex()) and
      not call.getArg(0).(StrConst).getText() = "0:0:0:0:0:0:0:1" and
      call.getFunc().(Attribute).getObject() = this.asExpr()
    )
    or
    exists(Compare compare |
      (
        compare.getOp(0) instanceof Eq or
        compare.getOp(0) instanceof NotEq
      ) and
      (
        compare.getLeft() = this.asExpr() and
        compare.getComparator(0).(StrConst).getText() instanceof PrivateHostName and
        not compare.getComparator(0).(StrConst).getText() = "0:0:0:0:0:0:0:1"
        or
        compare.getComparator(0) = this.asExpr() and
        compare.getLeft().(StrConst).getText() instanceof PrivateHostName and
        not compare.getLeft().(StrConst).getText() = "0:0:0:0:0:0:0:1"
      )
    )
    or
    exists(Compare compare |
      (
        compare.getOp(0) instanceof In or
        compare.getOp(0) instanceof NotIn
      ) and
      (
        compare.getLeft() = this.asExpr()
        or
        compare.getComparator(0) = this.asExpr() and
        not compare.getLeft().(StrConst).getText() in ["%", ",", "."]
      )
    )
  }
}

string getIpAddressRegex() {
  result =
    "^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$"
}

/**
 * A string matching private host names of IPv4 and IPv6, which only matches the host portion therefore checking for port is not necessary.
 * Several examples are localhost, reserved IPv4 IP addresses including 127.0.0.1, 10.x.x.x, 172.16.x,x, 192.168.x,x, and reserved IPv6 addresses including [0:0:0:0:0:0:0:1] and [::1]
 */
private class PrivateHostName extends string {
  bindingset[this]
  PrivateHostName() {
    this.regexpMatch("(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?")
  }
}