Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simple JS CodeInjection vulnerability no longer caught in latest release. #18757

Open
yonajix opened this issue Feb 12, 2025 · 2 comments · May be fixed by #18768
Open

Simple JS CodeInjection vulnerability no longer caught in latest release. #18757

yonajix opened this issue Feb 12, 2025 · 2 comments · May be fixed by #18768
Labels
question Further information is requested

Comments

@yonajix
Copy link

yonajix commented Feb 12, 2025
edited
Loading

I noticed that this very simple code injection example is longer caught in the latest release.

function main() {
    let userInput = new URLSearchParams(window.location.search).get('input');

    eval(userInput);

}
main()

This CodeInjection query fails to catch this:

/**
 * @name Code injection
 * @description Interpreting unsanitized user input as code allows a malicious user arbitrary
 *              code execution.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.3
 * @precision high
 * @id js/code-injection
 * @tags security
 *       external/cwe/cwe-094
 *       external/cwe/cwe-095
 *       external/cwe/cwe-079
 *       external/cwe/cwe-116
 */

import javascript
import semmle.javascript.security.dataflow.CodeInjectionQuery
import CodeInjectionFlow::PathGraph

from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
where CodeInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.",
  source.getNode(), "user-provided value"

However this is caught using the old deprecated Configuration method:

/**
 * @name Code injection
 * @description Interpreting unsanitized user input as code allows a malicious user arbitrary
 *              code execution.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.3
 * @precision high
 * @id js/code-injection
 * @tags security
 *       external/cwe/cwe-094
 *       external/cwe/cwe-095
 *       external/cwe/cwe-079
 *       external/cwe/cwe-116
 */

 import javascript
 import semmle.javascript.security.dataflow.CodeInjectionQuery
 import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.",
   source.getNode(), "user-provided value"

I believe this is due to the source not propagating through URLSearchParams. Removing URLSearchParams and simply setting userInput = window.location.search allows this vulnerability to be caught.
@yonajix yonajix added the question Further information is requested label Feb 12, 2025
@jketema
Copy link
Contributor

jketema commented Feb 12, 2025

Hi @yonajix

Thanks for your report. I've asked the CodeQL Javascript team to take a look.

@asgerf asgerf linked a pull request Feb 13, 2025 that will close this issue
Draft
@asgerf
Copy link
Contributor

asgerf commented Feb 13, 2025

Thanks for the report @yonajix. I can confirm that this is bug introduced in the recent release and we're working on a fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

JS: Migrate model of URLSearchParams asgerf/codeql
3 participants
@asgerf @jketema @yonajix