Skip to content

Commit c917cd0

Browse files
authored
Merge pull request #4054 from erik-krogh/urlIncludes
Approved by esbena
2 parents 8876dd5 + 15a7449 commit c917cd0

File tree

4 files changed

+14
-2
lines changed

4 files changed

+14
-2
lines changed

change-notes/1.26/analysis-javascript.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@
2424

2525
| **Query** | **Expected impact** | **Change** |
2626
|--------------------------------|------------------------------|---------------------------------------------------------------------------|
27+
| Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
2728

2829

2930
## Changes to libraries
30-

javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,10 @@ where
4343
or
4444
// target is a HTTP URL to a domain on any TLD
4545
target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/?")
46+
or
47+
// target is a HTTP URL to a domain on any TLD with path elements, and the check is an includes check
48+
check instanceof StringOps::Includes and
49+
target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/[a-z0-9/_-]+")
4650
) and
4751
(
4852
if check instanceof StringOps::StartsWith

javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,3 +20,6 @@
2020
| tst-IncompleteUrlSubstringSanitization.js:63:4:63:33 | x.index ... !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:63:14:63:25 | "secure.com" | secure.com |
2121
| tst-IncompleteUrlSubstringSanitization.js:64:3:64:26 | x.inclu ... e.com") | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:64:14:64:25 | "secure.com" | secure.com |
2222
| tst-IncompleteUrlSubstringSanitization.js:66:6:66:29 | x.inclu ... e.com") | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:66:17:66:28 | "secure.com" | secure.com |
23+
| tst-IncompleteUrlSubstringSanitization.js:73:5:73:48 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:73:15:73:42 | "https: ... oo/bar" | https://secure.com/foo/bar |
24+
| tst-IncompleteUrlSubstringSanitization.js:74:5:74:40 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:74:15:74:34 | "https://secure.com" | https://secure.com |
25+
| tst-IncompleteUrlSubstringSanitization.js:75:5:75:52 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:75:15:75:46 | "https: ... ar-baz" | https://secure.com/foo/bar-baz |

javascript/ql/test/query-tests/Security/CWE-020/tst-IncompleteUrlSubstringSanitization.js

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,5 +67,10 @@
6767

6868
} else {
6969
doSomeThingWithTrustedURL(x);
70-
}
70+
}
71+
72+
x.startsWith("https://secure.com/foo/bar"); // OK - a forward slash after the domain makes prefix checks safe.
73+
x.indexOf("https://secure.com/foo/bar") >= 0 // NOT OK - the url can be anywhere in the string.
74+
x.indexOf("https://secure.com") >= 0 // NOT OK
75+
x.indexOf("https://secure.com/foo/bar-baz") >= 0 // NOT OK - the url can be anywhere in the string.
7176
});

0 commit comments

Comments
 (0)