Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Go: CORS Bypass due to incorrect checks #16813

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+107 −0
Open

WIP: Go: CORS Bypass due to incorrect checks #16813

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
71fd955
WIP: Go: CORS Bypass due to incorrect checks
porcupineyhairs Jun 23, 2024
5b84c0c
Include changes from review
porcupineyhairs Jul 5, 2024
883fd00
Include changes from review
porcupineyhairs Jul 8, 2024
b2ade75
Include changes from review
porcupineyhairs Sep 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions go/ql/src/experimental/CWE-639/urlCheck.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
/**
* @name Incorrect check on url
* @description If a CORS policy is configured to accept an origin value obtained from the request data, it can lead to a policy bypass.
* @kind path-problem
* @problem.severity warning
* @id go/cors-bypass
* @tags security
* experimental
* external/cwe/cwe-942
* external/cwe/cwe-346
*/

import go

bindingset[s]
private predicate mayBeCors(string s) { s.toLowerCase().matches(["%origin%", "%cors%"]) }

/**
* An argument to a Gorilla's OriginValidator Function taken as a source
*/
class GorillaOriginFuncSource extends RemoteFlowSource::Range {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
class GorillaOriginFuncSource extends RemoteFlowSource::Range {
class GorillaOriginFuncSource extends DataFlow::Node {

I don't think you actually want this to extend RemoteFlowSource::Range. Since this is a .ql file, it can't be imported by any other files, so the only effects are within this file. Looking at the uses of RemoteFlowSource in this file, the only effect is that MaybeOrigin can include nodes from GorillaOriginFuncSource. But as MaybeOrigin is only used in node instanceof MaybeOrigin or node instanceof GorillaOriginFuncSource, this makes no difference.

GorillaOriginFuncSource() {
exists(FuncDef f, DataFlow::CallNode c |
// Find a func passed to `AllowedOriginValdiator` as a validator.
// The string parameter supplied to the validator is a remote controlled string supplied in the origin header.
// `gh.AllowedOriginValidator(func(origin string) bool{})`
f.getParameter(0).getType() instanceof StringType and
f.getNumParameter() = 1 and
c.getTarget().hasQualifiedName("github.com/gorilla/handlers", "AllowedOriginValidator") and
c.getArgument(0).asExpr() = f
|
DataFlow::localFlow(DataFlow::parameterNode(f.getParameter(0)), this)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
DataFlow::localFlow(DataFlow::parameterNode(f.getParameter(0)), this)
this = DataFlow::parameterNode(f.getParameter(0))

There is no point saying data flows from X to Y, and Y is the source - you should just make X the source. This gets rid of the duplicates.

)
}
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@owen-mc This does not seem to do what I need it to do. I tried quick-eval for just these lines. I can see they identify the source correct and the sinks correctly but the moment I run a dataflow query, it fails to see the flow. I can see there is no modification done to the source before the sink. So, i don't know what could be missing here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please can you give me an example of a path you'd expect to see? I've downloaded the db you provided in the bounty issue.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@owen-mc I am trying to detect this

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get a different result from you - when I quick-eval this class on the current db for that repo I get 6 results - all the uses of origin in the lines you linked it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I can see the origin's too but I don't see them when I run the full data flow query.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, GorillaOriginFuncSource seems to be giving the expected results. I think the problem is in MaybeOrigin.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MaybeOrigin correctly detects the vuln for the other project db.


private class MaybeOrigin extends RemoteFlowSource {
MaybeOrigin() {
exists(RemoteFlowSource r |
// Any write where the variables name could suggest it has something to do with cors.
exists(Write w, Variable v |
mayBeCors(w.getLhs().getName())
or
v.getAWrite() = w and mayBeCors(v.getName())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a pattern that causes awful performance. In the first part of the or you don't constraint v at all, so it is allowed to be any Variable, which produces a large number of results. You should rewrite it like this, so that there are never any unconstrained variables.

Suggested change
exists(Write w, Variable v |
mayBeCors(w.getLhs().getName())
or
v.getAWrite() = w and mayBeCors(v.getName())
exists(Write w |
mayBeCors(w.getLhs().getName())
or
exists(Variable v |
v.getAWrite() = w and mayBeCors(v.getName())
)

|
w = r.getASuccessor*().asInstruction()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line seems off - why would the write instruction be a data flow successor of a remote flow source? I could imagine the rhs of the write instruction might be. But that also gives me no results.

)
or
// Any argument or a receiver whose name could suggest it has something to do with cors.
exists(DataFlow::CallNode c, DataFlow::ArgumentNode a |
c.getArgument(_) = r.getASuccessor*()
or
c.getReceiver() = r.getASuccessor*() and
a.argumentOf(c.asExpr(), _)
|
mayBeCors([a.getStringValue(), c.getTarget().getName()])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the same pattern that produces awful performance that I mentioned above, with the twist that a, which is unconstrained in the first part of the or, is actually used later on. Since argumentOf includes the receiver and all arguments, I think you probably want something like this:

Suggested change
exists(DataFlow::CallNode c, DataFlow::ArgumentNode a |
c.getArgument(_) = r.getASuccessor*()
or
c.getReceiver() = r.getASuccessor*() and
a.argumentOf(c.asExpr(), _)
|
mayBeCors([a.getStringValue(), c.getTarget().getName()])
exists(DataFlow::CallNode c, DataFlow::ArgumentNode a |
a = r.getASuccessor*() and
a.argumentOf(c.asExpr(), _)
|
mayBeCors([a.getStringValue(), c.getTarget().getName()])

Note that this matches the receiver and all arguments of any function whose name satisfies mayBeCors. I assume this is intended, though it doesn't match the comment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change makes the result in goZero disappear.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The result in goZero starts at this part of the code: r.Header.Get(originHeader). The "receiver or argument whose name could suggest it has something to do with cors" is the argument originHeader. But taint doesn't flow to that argument (it's a constant string) . The reason we get a result is that there is flow from a remote flow source to the receiver of this call, r.Header (in fact it is itself a remote flow source).

Maybe I haven't fully understood what this code is meant to do (ignoring the variable write side for now). My current understanding is "find any argument or a receiver whose name could suggest it has something to do with cors and which has taint flowing to it from a remote flow source - this is the remote flow source".

)
|
this = r
)
}
}

private module UrlFlow implements DataFlow::ConfigSig {

Check warning

Code scanning / CodeQL

Data flow configuration module naming Warning

Modules implementing a data flow configuration should end in Config.
predicate isSource(DataFlow::Node node) { node instanceof MaybeOrigin }

predicate isSink(DataFlow::Node node) {
exists(DataFlow::CallNode mc, DataFlow::ArgumentNode a |
// Get a call to `strings.HasSuffix(origin, allowedDomain)`
mc.getTarget().hasQualifiedName("strings", "HasSuffix") and
a = mc.getArgument(1) and
// should not match ".domain.com"
not a.asExpr().(StringLit).getExactValue().matches(".%") and
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you are testing it against the non-vulnerable version. There are two databases. One named playWithDockerDb and the other named playWithDockerVulnDb. The first should not get a detection as it is with the correct fix. The second is the one with the actual vulnerability. The line you refer should prevent all strings starting with a . as non-vulnerable. This is expected.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I somehow didn't find all the dbs before. I have them now. I've also read a bit more about the vulnerability and I understand what you're trying to find now.

not exists(AddExpr w | w.getLeftOperand().getStringValue().matches(".%") |
DataFlow::localFlow(DataFlow::exprNode(w), a)
)
|
mc.getArgument(0) = node
)
}
}

private module Flow = TaintTracking::Global<UrlFlow>;

private import Flow::PathGraph

from Flow::PathNode source, Flow::PathNode sink
where Flow::flowPath(source, sink)
select sink.getNode(), source, sink,
"This can lead to a Cross Origin Resource Sharing(CORS) policy bypass"
Loading