-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Go: CORS Bypass due to incorrect checks #16813
base: main
Are you sure you want to change the base?
Conversation
Please don't review this yet. I need some help writing QL for this. I will raise this over slack. |
Hello porcupineyhairs 👋 In the meantime, feel free to make changes to the pull request. If you'd like to maximize payout for your this and future submissions, here are a few general guidelines, that we might take into consideration when reviewing a submission.
Please note that these are guidelines, not rules. Since we have a lot of different types of submissions, the guidelines might vary for each submission. Happy hacking! |
3aacc85
to
8a0f28f
Compare
@Kwstubbs This query is working and can be tested. However, for some reason, the select statement does not give the results in a proper form for Codeql to properly generate paths. I will take this up with the go team. In the mean time, please feel free to review and continue with the bounty application. |
12d3eb4
to
cfb9aba
Compare
Most Go frameworks provide a function call where-in you can pass a handler for testing origins and performing CORS checks. These functions typically check for the supllied origin in a list of valid origins. This behaviour is mostly fine but can lead to issues when done incorrectly. for example, consider the code snippets below https://github.com/zeromicro/go-zero/blob/5c9fae7e6258fd66d026793e7cb03ba9955e3dee/rest/internal/cors/handlers.go#L79-L91 https://github.com/play-with-docker/play-with-docker/blob/7188d83f867cbc201aef4b0597ac5f868c1971f3/handlers/bootstrap.go#L71-L80 In both these cases, the checks are implemented incorrectly and can lead to a CORS bypass resulting in CVE-2023-28109 and CVE-2024-27302. This PR aims to add a query, and its corresponding qhelp and tests for detecting the same vulnerability. The databases to verify the same can be downloaded from ``` https://file.io/OQX8Q3H3hMd4 https://filetransfer.io/data-package/wAfSEvZu#link ```
cfb9aba
to
71fd955
Compare
class GorillaOriginFuncSource extends RemoteFlowSource::Range { | ||
GorillaOriginFuncSource() { | ||
exists(FuncDef f, DataFlow::CallNode c | | ||
// Find a func passed to `AllowedOriginValdiator` as a validator. | ||
// The string parameter supplied to the validator is a remote controlled string supplied in the origin header. | ||
// `gh.AllowedOriginValidator(func(origin string) bool{})` | ||
f.getParameter(0).getType() instanceof StringType and | ||
f.getNumParameter() = 1 and | ||
c.getTarget().hasQualifiedName("github.com/gorilla/handlers", "AllowedOriginValidator") and | ||
c.getArgument(0).asExpr() = f | ||
| | ||
DataFlow::localFlow(DataFlow::parameterNode(f.getParameter(0)), this) | ||
) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@owen-mc This does not seem to do what I need it to do. I tried quick-eval for just these lines. I can see they identify the source correct and the sinks correctly but the moment I run a dataflow query, it fails to see the flow. I can see there is no modification done to the source before the sink. So, i don't know what could be missing here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please can you give me an example of a path you'd expect to see? I've downloaded the db you provided in the bounty issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get a different result from you - when I quick-eval this class on the current db for that repo I get 6 results - all the uses of origin
in the lines you linked it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I can see the origin
's too but I don't see them when I run the full data flow query.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, GorillaOriginFuncSource
seems to be giving the expected results. I think the problem is in MaybeOrigin
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MaybeOrigin
correctly detects the vuln for the other project db.
or | ||
v.getAWrite() = w and mayBeCors(v.getName()) | ||
| | ||
w = r.getASuccessor*().asInstruction() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line seems off - why would the write instruction be a data flow successor of a remote flow source? I could imagine the rhs of the write instruction might be. But that also gives me no results.
exists(Write w, Variable v | | ||
mayBeCors(w.getLhs().getName()) | ||
or | ||
v.getAWrite() = w and mayBeCors(v.getName()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a pattern that causes awful performance. In the first part of the or
you don't constraint v
at all, so it is allowed to be any Variable
, which produces a large number of results. You should rewrite it like this, so that there are never any unconstrained variables.
exists(Write w, Variable v | | |
mayBeCors(w.getLhs().getName()) | |
or | |
v.getAWrite() = w and mayBeCors(v.getName()) | |
exists(Write w | | |
mayBeCors(w.getLhs().getName()) | |
or | |
exists(Variable v | | |
v.getAWrite() = w and mayBeCors(v.getName()) | |
) |
exists(DataFlow::CallNode c, DataFlow::ArgumentNode a | | ||
c.getArgument(_) = r.getASuccessor*() | ||
or | ||
c.getReceiver() = r.getASuccessor*() and | ||
a.argumentOf(c.asExpr(), _) | ||
| | ||
mayBeCors([a.getStringValue(), c.getTarget().getName()]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the same pattern that produces awful performance that I mentioned above, with the twist that a
, which is unconstrained in the first part of the or
, is actually used later on. Since argumentOf
includes the receiver and all arguments, I think you probably want something like this:
exists(DataFlow::CallNode c, DataFlow::ArgumentNode a | | |
c.getArgument(_) = r.getASuccessor*() | |
or | |
c.getReceiver() = r.getASuccessor*() and | |
a.argumentOf(c.asExpr(), _) | |
| | |
mayBeCors([a.getStringValue(), c.getTarget().getName()]) | |
exists(DataFlow::CallNode c, DataFlow::ArgumentNode a | | |
a = r.getASuccessor*() and | |
a.argumentOf(c.asExpr(), _) | |
| | |
mayBeCors([a.getStringValue(), c.getTarget().getName()]) |
Note that this matches the receiver and all arguments of any function whose name satisfies mayBeCors
. I assume this is intended, though it doesn't match the comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change makes the result in goZero disappear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The result in goZero starts at this part of the code: r.Header.Get(originHeader)
. The "receiver or argument whose name could suggest it has something to do with cors" is the argument originHeader
. But taint doesn't flow to that argument (it's a constant string) . The reason we get a result is that there is flow from a remote flow source to the receiver of this call, r.Header
(in fact it is itself a remote flow source).
Maybe I haven't fully understood what this code is meant to do (ignoring the variable write side for now). My current understanding is "find any argument or a receiver whose name could suggest it has something to do with cors and which has taint flowing to it from a remote flow source - this
is the remote flow source".
mc.getTarget().hasQualifiedName("strings", "HasSuffix") and | ||
a = mc.getArgument(1) and | ||
// should not match ".domain.com" | ||
not a.asExpr().(StringLit).getExactValue().matches(".%") and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you are testing it against the non-vulnerable version. There are two databases. One named playWithDockerDb
and the other named playWithDockerVulnDb
. The first should not get a detection as it is with the correct fix. The second is the one with the actual vulnerability. The line you refer should prevent all strings starting with a .
as non-vulnerable. This is expected.
@owen-mc I have made some changes to the query. The query now detects both the vulnerabilities correctly. However, I can see duplicate results for the |
c.getTarget().hasQualifiedName("github.com/gorilla/handlers", "AllowedOriginValidator") and | ||
c.getArgument(0).asExpr() = f | ||
| | ||
DataFlow::localFlow(DataFlow::parameterNode(f.getParameter(0)), this) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DataFlow::localFlow(DataFlow::parameterNode(f.getParameter(0)), this) | |
this = DataFlow::parameterNode(f.getParameter(0)) |
There is no point saying data flows from X
to Y
, and Y
is the source - you should just make X
the source. This gets rid of the duplicates.
/** | ||
* An argument to a Gorilla's OriginValidator Function taken as a source | ||
*/ | ||
class GorillaOriginFuncSource extends RemoteFlowSource::Range { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
class GorillaOriginFuncSource extends RemoteFlowSource::Range { | |
class GorillaOriginFuncSource extends DataFlow::Node { |
I don't think you actually want this to extend RemoteFlowSource::Range
. Since this is a .ql
file, it can't be imported by any other files, so the only effects are within this file. Looking at the uses of RemoteFlowSource
in this file, the only effect is that MaybeOrigin
can include nodes from GorillaOriginFuncSource
. But as MaybeOrigin
is only used in node instanceof MaybeOrigin or node instanceof GorillaOriginFuncSource
, this makes no difference.
@owen-mc Changes done. MRVA showed be alerts in 3 projects. One of them was a false positive which has been fixed. So, there are two projects with alerts right now and they look valid to me. |
|
||
bindingset[s] | ||
private predicate mayBeCors(string s) { | ||
s.toLowerCase().matches(["%origin%", "%cors%"]) and not s.toLowerCase().matches(["%original%"]) |
Check warning
Code scanning / CodeQL
Singleton set literal Warning
} | ||
} | ||
|
||
private module UrlFlow implements DataFlow::ConfigSig { |
Check warning
Code scanning / CodeQL
Data flow configuration module naming Warning
Most Go frameworks provide a function call where-in you can pass a handler for testing origins and performing CORS checks. These functions typically check for the supllied origin in a list of valid origins. This behaviour is mostly fine but can lead to issues when done incorrectly. for example, consider the code snippets below
https://github.com/zeromicro/go-zero/blob/5c9fae7e6258fd66d026793e7cb03ba9955e3dee/rest/internal/cors/handlers.go#L79-L91
https://github.com/play-with-docker/play-with-docker/blob/7188d83f867cbc201aef4b0597ac5f868c1971f3/handlers/bootstrap.go#L71-L80
In both these cases, the checks are implemented incorrectly and can lead to a CORS bypass resulting in CVE-2023-28109 and CVE-2024-27302.
This PR aims to add a query, and its corresponding qhelp and tests for detecting the same vulnerability.
The databases to verify the same can be downloaded from