-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Go: CORS Bypass due to incorrect checks #16813
base: main
Are you sure you want to change the base?
Conversation
Please don't review this yet. I need some help writing QL for this. I will raise this over slack. |
Hello porcupineyhairs 👋 In the meantime, feel free to make changes to the pull request. If you'd like to maximize payout for your this and future submissions, here are a few general guidelines, that we might take into consideration when reviewing a submission.
Please note that these are guidelines, not rules. Since we have a lot of different types of submissions, the guidelines might vary for each submission. Happy hacking! |
3aacc85
to
8a0f28f
Compare
@Kwstubbs This query is working and can be tested. However, for some reason, the select statement does not give the results in a proper form for Codeql to properly generate paths. I will take this up with the go team. In the mean time, please feel free to review and continue with the bounty application. |
12d3eb4
to
cfb9aba
Compare
Most Go frameworks provide a function call where-in you can pass a handler for testing origins and performing CORS checks. These functions typically check for the supllied origin in a list of valid origins. This behaviour is mostly fine but can lead to issues when done incorrectly. for example, consider the code snippets below https://github.com/zeromicro/go-zero/blob/5c9fae7e6258fd66d026793e7cb03ba9955e3dee/rest/internal/cors/handlers.go#L79-L91 https://github.com/play-with-docker/play-with-docker/blob/7188d83f867cbc201aef4b0597ac5f868c1971f3/handlers/bootstrap.go#L71-L80 In both these cases, the checks are implemented incorrectly and can lead to a CORS bypass resulting in CVE-2023-28109 and CVE-2024-27302. This PR aims to add a query, and its corresponding qhelp and tests for detecting the same vulnerability. The databases to verify the same can be downloaded from ``` https://file.io/OQX8Q3H3hMd4 https://filetransfer.io/data-package/wAfSEvZu#link ```
cfb9aba
to
71fd955
Compare
class GorillaOriginFuncSource extends RemoteFlowSource::Range { | ||
GorillaOriginFuncSource() { | ||
exists(FuncDef f, DataFlow::CallNode c | | ||
// Find a func passed to `AllowedOriginValdiator` as a validator. | ||
// The string parameter supplied to the validator is a remote controlled string supplied in the origin header. | ||
// `gh.AllowedOriginValidator(func(origin string) bool{})` | ||
f.getParameter(0).getType() instanceof StringType and | ||
f.getNumParameter() = 1 and | ||
c.getTarget().hasQualifiedName("github.com/gorilla/handlers", "AllowedOriginValidator") and | ||
c.getArgument(0).asExpr() = f | ||
| | ||
DataFlow::localFlow(DataFlow::parameterNode(f.getParameter(0)), this) | ||
) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@owen-mc This does not seem to do what I need it to do. I tried quick-eval for just these lines. I can see they identify the source correct and the sinks correctly but the moment I run a dataflow query, it fails to see the flow. I can see there is no modification done to the source before the sink. So, i don't know what could be missing here.
Most Go frameworks provide a function call where-in you can pass a handler for testing origins and performing CORS checks. These functions typically check for the supllied origin in a list of valid origins. This behaviour is mostly fine but can lead to issues when done incorrectly. for example, consider the code snippets below
https://github.com/zeromicro/go-zero/blob/5c9fae7e6258fd66d026793e7cb03ba9955e3dee/rest/internal/cors/handlers.go#L79-L91
https://github.com/play-with-docker/play-with-docker/blob/7188d83f867cbc201aef4b0597ac5f868c1971f3/handlers/bootstrap.go#L71-L80
In both these cases, the checks are implemented incorrectly and can lead to a CORS bypass resulting in CVE-2023-28109 and CVE-2024-27302.
This PR aims to add a query, and its corresponding qhelp and tests for detecting the same vulnerability.
The databases to verify the same can be downloaded from