Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodeQL miss to detect a vulnerability because of irrelvant code? #17957

Open
Anemone95 opened this issue Nov 11, 2024 · 2 comments · May be fixed by #17958
Open

CodeQL miss to detect a vulnerability because of irrelvant code? #17957

Anemone95 opened this issue Nov 11, 2024 · 2 comments · May be fixed by #17958
Labels
question Further information is requested

Comments

@Anemone95
Copy link

The problem is when I scan these files of code:
./main.js:

(() => {})(), // this line makes the codeql neglect the vulnerability?
(() => {
  let fe = require('./source.js').s;
  let e = fe();
  window.location.href = e;
})();

./source.js:

module.exports.s = function() {
  let e = window.location.href.split("#")[1];
  return decodeURIComponent(e);
};

CodeQL doesn't report any vulnerability but if I comment the first line of main.js, like:

// (() => {})(),
(() => {
  let fe = require('./source.js').s;
  let e = fe();
  window.location.href = e;
})();

It detected one, which is:

"Client-side URL redirect","Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.","error","Untrusted URL redirection depends on a [[""user-provided value""|""relative:///source.js:2:11:2:30""]].
Untrusted URL redirection depends on a [[""user-provided value""|""relative:///source.js:2:11:2:25""]].","/main.js","5","26","5","26"

Is there an issue? Since the part of code (() => {})() which seems irrelevant to the vulnerability to me affects the query result.

The version of the codeql that I use:

CodeQL command-line toolchain release 2.18.3.
Copyright (C) 2019-2024 GitHub, Inc.
Unpacked in: ...
   Analysis results depend critically on separately distributed query and
   extractor modules. To list modules that are visible to the toolchain,
   use 'codeql resolve qlpacks' and 'codeql resolve languages'.

And here is the command I use:

codeql database create --language=javascript codeql-database --source-root="./sourcecode"
codeql database analyze ./codeql-database/ $CODE_QL/codeql-repo/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql --format=csv --output="result.csv" --threads=10
cat result.csv | grep redirect
@Anemone95 Anemone95 added the question Further information is requested label Nov 11, 2024
@asgerf asgerf linked a pull request Nov 11, 2024 that will close this issue
Draft
@asgerf
Copy link
Contributor

asgerf commented Nov 14, 2024

Hi @Anemone95, thanks for reporting this. I have found the underlying bug and have a fix in the works.

@Anemone95
Copy link
Author

Thanks, but are you sure the pr can fix that? I switched the "js/top-level-comma" branch, checked the updated code exists, and rerun the command it didn't work. Did I miss any command? The file you modified is a java file maybe I need to clean up the built artifact somewhere and rebuild the extractor?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

JS: Handle sequence expressions in module detection asgerf/codeql
2 participants
@asgerf @Anemone95