Skip to content

CodeQL miss to detect a vulnerability because of irrelvant code? #17957

New issue
New issue
Open
#17958
Open
CodeQL miss to detect a vulnerability because of irrelvant code?#17957
#17958
Labels
questionFurther information is requested
@Anemone95

Description

@Anemone95
Anemone95
opened on Nov 11, 2024

The problem is when I scan these files of code:
./main.js:

(() => {})(), // this line makes the codeql neglect the vulnerability?
(() => {
  let fe = require('./source.js').s;
  let e = fe();
  window.location.href = e;
})();

./source.js:

module.exports.s = function() {
  let e = window.location.href.split("#")[1];
  return decodeURIComponent(e);
};

CodeQL doesn't report any vulnerability but if I comment the first line of main.js, like:

// (() => {})(),
(() => {
  let fe = require('./source.js').s;
  let e = fe();
  window.location.href = e;
})();

It detected one, which is:

"Client-side URL redirect","Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.","error","Untrusted URL redirection depends on a [[""user-provided value""|""relative:///source.js:2:11:2:30""]].
Untrusted URL redirection depends on a [[""user-provided value""|""relative:///source.js:2:11:2:25""]].","/main.js","5","26","5","26"

Is there an issue? Since the part of code (() => {})() which seems irrelevant to the vulnerability to me affects the query result.

The version of the codeql that I use:

CodeQL command-line toolchain release 2.18.3.
Copyright (C) 2019-2024 GitHub, Inc.
Unpacked in: ...
   Analysis results depend critically on separately distributed query and
   extractor modules. To list modules that are visible to the toolchain,
   use 'codeql resolve qlpacks' and 'codeql resolve languages'.

And here is the command I use:

codeql database create --language=javascript codeql-database --source-root="./sourcecode"
codeql database analyze ./codeql-database/ $CODE_QL/codeql-repo/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql --format=csv --output="result.csv" --threads=10
cat result.csv | grep redirect

Activity

Anemone95
added
questionFurther information is requested
on Nov 11, 2024
asgerf
linked a pull request that will close this issue on Nov 11, 2024
asgerf

asgerf commented on Nov 14, 2024

@asgerf
asgerf
on Nov 14, 2024
Contributor

Hi @Anemone95, thanks for reporting this. I have found the underlying bug and have a fix in the works.

Anemone95

Anemone95 commented on Nov 14, 2024

@Anemone95
Anemone95
on Nov 14, 2024
Author

Thanks, but are you sure the pr can fix that? I switched the "js/top-level-comma" branch, checked the updated code exists, and rerun the command it didn't work. Did I miss any command? The file you modified is a java file maybe I need to clean up the built artifact somewhere and rebuild the extractor?

asgerf

asgerf commented on Nov 15, 2024

@asgerf
asgerf
on Nov 15, 2024
Contributor

Yes, the extractor needs to be rebuilt and the database needs to be extracted with the new extractor, so simply checking out the branch won't be enough. Unfortunately it requires internal access to build the extractor so you'll have to wait for the fix.

Anemone95

Anemone95 commented on Nov 15, 2024

@Anemone95
Anemone95
on Nov 15, 2024
Author

I see. So I will wait for merging and once it is successful, I download the latest codeql-cli-binary to see if there would be a difference, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @asgerf@Anemone95

      Issue actions
        CodeQL miss to detect a vulnerability because of irrelvant code? · Issue #17957 · github/codeql