Skip to content

[Go] Add Unicode Bypass Validation query, test and help file #12994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 41 commits into
base: main
Choose a base branch
from
Open

[Go] Add Unicode Bypass Validation query, test and help file #12994

wants to merge 41 commits into from

Conversation

Sim4n6
Copy link
Contributor

@Sim4n6 Sim4n6 commented May 2, 2023

This pull request adds a Unicode Bypass Validation (UBV) query, tests, and the help file.

The UBV query checks for a Post-Unicode Normalization in a Golang codebase that leads to some security issues such as the bypasses of a String validation, regex verification, and escape functions.

@Sim4n6 Sim4n6 requested a review from a team as a code owner May 2, 2023 14:45
This was referenced May 2, 2023
Closed
Closed
smowton
smowton reviewed May 10, 2023
View reviewed changes
@github-actions
Copy link
Contributor

QHelp previews:

go/ql/src/experimental/CWE-176/UnicodeBypassValidation.qhelp

Bypass Logical Validation Using Unicode Characters

Security checks bypass due to a Unicode transformation

If ever a unicode tranformation is performed after some security checks or logical validation, the latter could be bypassed due to a potential Unicode characters collision. The validation of concern are any character escaping, any regex validation or any string verification.

Security checks bypassed

Recommendation

Perform a Unicode normalization before the logical validation.

Example

The following example showcases the bypass of all checks performed by html.EscapeString() due to a post-unicode normalization.

For instance: the character U+FE64 () is not filtered-out by the flask escape function. But due to the Unicode normalization, the character is transformed and would become U+003C (< ).

package main

import (
	"fmt"
	"html"
	"net/http"

	"golang.org/x/text/unicode/norm"
)

func main() {}

func bad() {
	http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {

		unicode_input := req.URL.Query().Get("unicode_input")
		escaped := html.EscapeString(unicode_input)
		unicode_norm := norm.NFKC.String(escaped)
		fmt.Println(w, "Results: %q", unicode_norm)
	})
}

References

github-advanced-security[bot]
github-advanced-security bot found potential problems May 26, 2023
View reviewed changes
@Sim4n6
Copy link
Contributor Author

Sim4n6 commented May 26, 2023

Sorry about the delay, I will be working on this query this weekend.

Sim4n6 and others added 15 commits May 27, 2023 08:19
@Sim4n6 @smowton
Update go/ql/lib/semmle/go/security/UnicodeBypassValidationQuery.qll
e3bc19a 
Co-authored-by: Chris Smowton <smowton@github.com>
@Sim4n6
Merge branch 'golang-UBV' of https://github.com/sim4n6/codeql-pun int…
f40417d 
…o golang-UBV
@Sim4n6 @smowton
Update go/ql/lib/semmle/go/security/UnicodeBypassValidationQuery.qll
09dad11 
Co-authored-by: Chris Smowton <smowton@github.com>
@Sim4n6
Merge branch 'golang-UBV' of https://github.com/sim4n6/codeql-pun int…
8654e2a 
…o golang-UBV
@Sim4n6 @smowton
Update go/ql/lib/semmle/go/security/UnicodeBypassValidationQuery.qll
940a669 
Co-authored-by: Chris Smowton <smowton@github.com>
@Sim4n6
Merge branch 'golang-UBV' of https://github.com/sim4n6/codeql-pun int…
2a5f94c 
…o golang-UBV
@Sim4n6
Use of callee including ext
b304196
@Sim4n6
Removed an image from qhelp file
1917d8f
@Sim4n6
Removed repeating subtitle
7e760fc
@Sim4n6
No redundant imports
84e071c
@Sim4n6
all forms are vulnerable
d5d6776
@Sim4n6
Copied a go.mod and more
4ce9aa9
@Sim4n6
update some metadata
0111776
@Sim4n6
add CWE-180 to metadata
df556e9
@Sim4n6
String manipulation incorporated
07bbfde
@Sim4n6 Sim4n6 requested a review from smowton May 27, 2023 17:27
smowton
smowton reviewed May 30, 2023
View reviewed changes
smowton
smowton reviewed May 30, 2023
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly looks good, couple more adjustments

smowton
smowton reviewed May 30, 2023
View reviewed changes
@Sim4n6 Sim4n6 requested a review from smowton May 30, 2023 18:43
@Sim4n6 Sim4n6 requested a review from mbg June 6, 2023 16:09
smowton
smowton reviewed Jun 14, 2023
View reviewed changes
@Sim4n6
Copy link
Contributor Author

Sim4n6 commented Jun 26, 2023

A regex match function calls could be used as a barrier guard, commit a64a998.

@Sim4n6 Sim4n6 requested a review from smowton June 26, 2023 10:33
smowton
smowton reviewed Jun 28, 2023
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good now! I note the bounty application wants you to submit a Golang CVE -- once that's done I think securitylab will now proceed to check his query's accuracy.

@Sim4n6
Copy link
Contributor Author

Sim4n6 commented Jun 28, 2023

Thanks, no problem @smowton

@mbg mbg removed their request for review November 24, 2023 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbg mbg mbg left review comments

@smowton smowton smowton left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Go no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Sim4n6 @mbg @smowton