Added tests which shows false positive SSRF via matchAll

github · Nov 7, 2024 · 42600c9 · 42600c9
1 parent 449cee9
commit 42600c9
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
@@ -51,6 +51,18 @@ nodes
 | check-regex.js:41:13:41:43 | "test.c ... tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted |
+| check-regex.js:58:15:58:42 | baseURL ... tainted |
+| check-regex.js:58:15:58:42 | baseURL ... tainted |
+| check-regex.js:58:25:58:42 | req.params.tainted |
+| check-regex.js:58:25:58:42 | req.params.tainted |
+| check-regex.js:61:15:61:42 | baseURL ... tainted |
+| check-regex.js:61:15:61:42 | baseURL ... tainted |
+| check-regex.js:61:25:61:42 | req.params.tainted |
+| check-regex.js:61:25:61:42 | req.params.tainted |
+| check-regex.js:63:15:63:42 | baseURL ... tainted |
+| check-regex.js:63:15:63:42 | baseURL ... tainted |
+| check-regex.js:63:25:63:42 | req.params.tainted |
+| check-regex.js:63:25:63:42 | req.params.tainted |
 | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted |
@@ -127,6 +139,18 @@ edges
 | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
+| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted |
+| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted |
+| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted |
+| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted |
+| check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted |
+| check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted |
+| check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted |
+| check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted |
+| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted |
+| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted |
+| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted |
+| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
@@ -166,6 +190,9 @@ edges
 | check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:41:13:41:43 | "test.c ... tainted | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
+| check-regex.js:58:15:58:42 | baseURL ... tainted | check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
+| check-regex.js:61:15:61:42 | baseURL ... tainted | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
+| check-regex.js:63:15:63:42 | baseURL ... tainted | check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:15:15:15:45 | "test.c ... tainted | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:27:15:27:45 | "test.c ... tainted | check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:50:15:50:45 | "test.c ... tainted | check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |

diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-regex.js b/javascript/ql/test/experimental/Security/CWE-918/check-regex.js
@@ -51,3 +51,17 @@ app.get('/check-with-axios', req => {
 const isValidPath = path =>  path.match(/^[0-9a-z]+$/);
 
 const isInBlackList = path =>  path.match(/^[/\.%]+$/);
+
+app.get('/check-with-axios', req => {
+  const baseURL = "test.com/"
+  if (isValidPathMatchAll(req.params.tainted) ) {
+    axios.get(baseURL + req.params.tainted); // OK
+  }
+  if (!isValidPathMatchAll(req.params.tainted) ) {
+    axios.get(baseURL + req.params.tainted); // SSRF
+  } else {
+    axios.get(baseURL + req.params.tainted); // OK
+  }
+});
+
+const isValidPathMatchAll = path =>  path.matchAll(/^[0-9a-z]+$/g);