JS: add simple query for detecting sensitive files downloaded over insecure connection #3689
Conversation
erik-krogh
changed the title
| */ | ||
| string unsafeExtension() { | ||
| result = | ||
| ["exe", "dmg", "pkg", "tar.gz", "zip", "sh", "bat", "cmd", "app", "apk", "msi", "dmg", |
There was a problem hiding this comment.
What about .jar and .war files?
There was a problem hiding this comment.
Good point, those after often used as executeables.
javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownload.qll
Outdated
Show resolved
Hide resolved
Co-authored-by: Asger F <asgerf@github.com>
There was a problem hiding this comment.
@erik-krogh - this LGTM ✨
Happy for this to be merged once you had a look at my suggestions and comments (there are a few typos, but apart from that, it's looking really good).
Hope it helps!
|
I'm not sure how relevant this is in practice: So it may be useful to also to track such cases. Or maybe not 🤷♂️ |
I think it is useful to track such cases. And you got a good point, thanks 👍 |
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
It did, I agree with all your suggested changes 👍 |
CVE-2017-16003: TP/TN
A very closely related issue to look for
httpurls in 'package.jsonfiles, or<script />tags withhttp` urls, but that is not a path-problem, so it feels weird mashing that into the same query.Maybe we should get back to that later?
It was suggested at one point that I could add an integrity-check as a sanitizer, but I don't know what that would look like?
The query only supports the
httpandftpprotocols for now. Suggestions for additional protocols are very welcome.Performance evaluation waits until after this PR has been merged into the sprint branch.