-
Notifications
You must be signed in to change notification settings - Fork 126
Conversation
TODO:
|
|
(deleted, turned out to be nonsense) |
It doesn't. |
I believe that if I assumed that web frameworks do check that to be a sensible value, I would be wrong in most cases. |
Server: package main
import (
"fmt"
"log"
"github.com/valyala/fasthttp"
)
func main() {
listenAddr := "127.0.0.1:8087"
requestHandler := func(ctx *fasthttp.RequestCtx) {
fmt.Fprintf(ctx,
"Hello, world! Request protocol is %q, scheme is %q",
ctx.Request.Header.Protocol(),
ctx.Request.URI().Scheme(),
)
}
if err := fasthttp.ListenAndServe(listenAddr, requestHandler); err != nil {
log.Fatalf("error in ListenAndServe: %s", err)
}
} Let's send a request: printf "HELLO caramel://whatever DONUT/123\r\n\r\n" | nc 127.0.0.1 8087 |
I'd be inclined to exclude scheme anyway, because the most of the time it's unlikely to cause any injection vulnerabilities, and for something like reflected XSS it's not a vector. That said, the other alternative would be excluding it manually from XSS. |
Well, yes. This only works if there isn't a browser involved. |
Scheme and protocol; anything else to be remove? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've re-reviewed this since it's been a while.
out.isResult() | ||
) | ||
or | ||
// signature: func AppendHTMLEscape(dst []byte, s string) []byte |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably add these as sanitizers for XSS.
"Qualifier": { | ||
"Path": "github.com/valyala/fasthttp", | ||
"Version": "v1.23.0", | ||
"ID": "Function-AppendHTTPDate", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be a bit nicer if the disabled selectors were removed from the json.
inp.isParameter(0) and | ||
out.isResult() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think you should include these; most of the time the contents of the dst
slices will be overwritten, right?
out.isReceiver() | ||
or | ||
// signature: func (*Args).String() string | ||
this.hasQualifiedName(packagePath(), "Args", "String") and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't need to model String
methods.
this = out.getExitNode(mtd.getACall()) and | ||
mtd.hasQualifiedName(packagePath(), receiverName, methodName) | ||
| | ||
receiverName = "Args" and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think taint should originate from Args
, Cookie
, RequestHeader
, or URI
; probably it should propagate from the relevant fields of the Request
.
@gagliardetto any progress on this? |
thanks for the ping, @JarLob I am no longer working on this, and don't plan on resuming. |
Part of github/securitylab#335
This PR adds models for the github.com/valyala/fasthttp web framework.
CodeQL Module Summary for
FastHTTP
:Packages:
Model kind
TaintTracking
:FUNCS
:Model kind
HTTP::Redirect
:FUNCS
:Model kind
HTTP::HeaderWrite
:FUNCS
:Model kind
HTTP::ResponseBody
:FUNCS
:Model kind
UntrustedFlowSource
:FUNCS
:STRUCTS
:TYPES
: