WIP: Go: CORS Bypass due to incorrect checks #16813
Conversation
|
Please don't review this yet. I need some help writing QL for this. I will raise this over slack. |
|
Hello porcupineyhairs 👋 In the meantime, feel free to make changes to the pull request. If you'd like to maximize payout for your this and future submissions, here are a few general guidelines, that we might take into consideration when reviewing a submission.
Please note that these are guidelines, not rules. Since we have a lot of different types of submissions, the guidelines might vary for each submission. Happy hacking! |
porcupineyhairs
force-pushed
the
goCorsBypass
branch
from
3aacc85
to
8a0f28f
Compare
|
@Kwstubbs This query is working and can be tested. However, for some reason, the select statement does not give the results in a proper form for Codeql to properly generate paths. I will take this up with the go team. In the mean time, please feel free to review and continue with the bounty application. |
porcupineyhairs
force-pushed
the
goCorsBypass
branch
2 times, most recently
from
12d3eb4
to
cfb9aba
Compare
Most Go frameworks provide a function call where-in you can pass a handler for testing origins and performing CORS checks. These functions typically check for the supllied origin in a list of valid origins. This behaviour is mostly fine but can lead to issues when done incorrectly. for example, consider the code snippets below https://github.com/zeromicro/go-zero/blob/5c9fae7e6258fd66d026793e7cb03ba9955e3dee/rest/internal/cors/handlers.go#L79-L91 https://github.com/play-with-docker/play-with-docker/blob/7188d83f867cbc201aef4b0597ac5f868c1971f3/handlers/bootstrap.go#L71-L80 In both these cases, the checks are implemented incorrectly and can lead to a CORS bypass resulting in CVE-2023-28109 and CVE-2024-27302. This PR aims to add a query, and its corresponding qhelp and tests for detecting the same vulnerability. The databases to verify the same can be downloaded from ``` https://file.io/OQX8Q3H3hMd4 https://filetransfer.io/data-package/wAfSEvZu#link ```
porcupineyhairs
force-pushed
the
goCorsBypass
branch
from
cfb9aba
to
71fd955
Compare
| class GorillaOriginFuncSource extends RemoteFlowSource::Range { | ||
| GorillaOriginFuncSource() { | ||
| exists(FuncDef f, DataFlow::CallNode c | | ||
| // Find a func passed to `AllowedOriginValdiator` as a validator. | ||
| // The string parameter supplied to the validator is a remote controlled string supplied in the origin header. | ||
| // `gh.AllowedOriginValidator(func(origin string) bool{})` | ||
| f.getParameter(0).getType() instanceof StringType and | ||
| f.getNumParameter() = 1 and | ||
| c.getTarget().hasQualifiedName("github.com/gorilla/handlers", "AllowedOriginValidator") and | ||
| c.getArgument(0).asExpr() = f | ||
| | | ||
| DataFlow::localFlow(DataFlow::parameterNode(f.getParameter(0)), this) | ||
| ) | ||
| } | ||
| } |
There was a problem hiding this comment.
@owen-mc This does not seem to do what I need it to do. I tried quick-eval for just these lines. I can see they identify the source correct and the sinks correctly but the moment I run a dataflow query, it fails to see the flow. I can see there is no modification done to the source before the sink. So, i don't know what could be missing here.
Most Go frameworks provide a function call where-in you can pass a handler for testing origins and performing CORS checks. These functions typically check for the supllied origin in a list of valid origins. This behaviour is mostly fine but can lead to issues when done incorrectly. for example, consider the code snippets below
https://github.com/zeromicro/go-zero/blob/5c9fae7e6258fd66d026793e7cb03ba9955e3dee/rest/internal/cors/handlers.go#L79-L91
https://github.com/play-with-docker/play-with-docker/blob/7188d83f867cbc201aef4b0597ac5f868c1971f3/handlers/bootstrap.go#L71-L80
In both these cases, the checks are implemented incorrectly and can lead to a CORS bypass resulting in CVE-2023-28109 and CVE-2024-27302.
This PR aims to add a query, and its corresponding qhelp and tests for detecting the same vulnerability.
The databases to verify the same can be downloaded from