Skip to content

JS: Add some support for indirect route handlers#4275

Merged
codeql-ci merged 18 commits intogithub:mainfrom
erik-krogh:CVE760-indirect
Sep 21, 2020
Merged

JS: Add some support for indirect route handlers#4275
codeql-ci merged 18 commits intogithub:mainfrom
erik-krogh:CVE760-indirect

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Sep 16, 2020

Gets a TP for CVE-2020-15135 (after #4247 is merged).
Only the first commit is needed to get the TP.

The other commits tries to generalize a bit, in order to support these two examples of indirect route handlers: one, two.

An evaluation shows a decent amount of new route-handlers found.
And performance is "not great not terrible" - I'll look into it.
An evaluation shows a decent amount of new route-handlers found.
And performance looks good.

@github-actions github-actions bot added the JS label Sep 16, 2020
@erik-krogh erik-krogh marked this pull request as ready for review September 18, 2020 07:31
@erik-krogh erik-krogh requested a review from a team as a code owner September 18, 2020 07:31
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So in summary: we can now identify RouteHandlerCandidates as proper route handlers if they are invoked trivially through wrapper-functions. The idea SGTM.

My main concern is the location of the predicates.

*/
private predicate forwardingCall(DataFlow::SourceNode callee, HTTP::RouteHandlerCandidate f) {
exists(DataFlow::CallNode call | call = callee.getACall() |
f.getNumParameter() >= 2 and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we exclude f.getNumParameter() = 1?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was a "this should look like a route-handler" constraint.
But now that the type of f is HTTP::RouteHandlerCandidate, that constraint is unnecessary.

}

override DataFlow::SourceNode getRouteHandler(DataFlow::SourceNode access) {
override RouteHandlerCandidate getRouteHandler(DataFlow::SourceNode access) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need this restriction, isn't the inline cast sufficient anymore? I get that the extends HTTP::RouteHandlerCandidateContainer::Range naming heavily implies this type, but then the return type ought to be restricted in that super class instead IMO. I think the generalized return type in the super class is quite deliberate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The inline cast is perfectly sufficient.
I just did this change as a drive-by refactorization to help my own understanding of the predicate while I was editing the predicate.

But yeah, having a different return-type compared to the super class can be confusing, so I'll change it back.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like this wasn't changed back after all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. I only changed it only for ContainerObject, and forgot ContainerCollection.

Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Final round.

}

override DataFlow::SourceNode getRouteHandler(DataFlow::SourceNode access) {
override RouteHandlerCandidate getRouteHandler(DataFlow::SourceNode access) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like this wasn't changed back after all.

Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last nit: Lets add the improved framework models to the change-notes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants

Comments