Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeQL miss to detect a vulnerability because of irrelvant code? #17957

Open
Anemone95 opened this issue Nov 11, 2024 · 4 comments · May be fixed by #17958
Open

CodeQL miss to detect a vulnerability because of irrelvant code? #17957

Anemone95 opened this issue Nov 11, 2024 · 4 comments · May be fixed by #17958
Labels
question Further information is requested

Comments

@Anemone95
Copy link

The problem is when I scan these files of code:
./main.js:

(() => {})(), // this line makes the codeql neglect the vulnerability?
(() => {
  let fe = require('./source.js').s;
  let e = fe();
  window.location.href = e;
})();

./source.js:

module.exports.s = function() {
  let e = window.location.href.split("#")[1];
  return decodeURIComponent(e);
};

CodeQL doesn't report any vulnerability but if I comment the first line of main.js, like:

// (() => {})(),
(() => {
  let fe = require('./source.js').s;
  let e = fe();
  window.location.href = e;
})();

It detected one, which is:

"Client-side URL redirect","Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.","error","Untrusted URL redirection depends on a [[""user-provided value""|""relative:https:///source.js:2:11:2:30""]].
Untrusted URL redirection depends on a [[""user-provided value""|""relative:https:///source.js:2:11:2:25""]].","/main.js","5","26","5","26"

Is there an issue? Since the part of code (() => {})() which seems irrelevant to the vulnerability to me affects the query result.

The version of the codeql that I use:

CodeQL command-line toolchain release 2.18.3.
Copyright (C) 2019-2024 GitHub, Inc.
Unpacked in: ...
   Analysis results depend critically on separately distributed query and
   extractor modules. To list modules that are visible to the toolchain,
   use 'codeql resolve qlpacks' and 'codeql resolve languages'.

And here is the command I use:

codeql database create --language=javascript codeql-database --source-root="./sourcecode"
codeql database analyze ./codeql-database/ $CODE_QL/codeql-repo/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql --format=csv --output="result.csv" --threads=10
cat result.csv | grep redirect
@Anemone95 Anemone95 added the question Further information is requested label Nov 11, 2024
@asgerf asgerf linked a pull request Nov 11, 2024 that will close this issue
@asgerf
Copy link
Contributor

asgerf commented Nov 14, 2024

Hi @Anemone95, thanks for reporting this. I have found the underlying bug and have a fix in the works.

@Anemone95
Copy link
Author

Thanks, but are you sure the pr can fix that? I switched the "js/top-level-comma" branch, checked the updated code exists, and rerun the command it didn't work. Did I miss any command? The file you modified is a java file maybe I need to clean up the built artifact somewhere and rebuild the extractor?

@asgerf
Copy link
Contributor

asgerf commented Nov 15, 2024

Yes, the extractor needs to be rebuilt and the database needs to be extracted with the new extractor, so simply checking out the branch won't be enough. Unfortunately it requires internal access to build the extractor so you'll have to wait for the fix.

@Anemone95
Copy link
Author

I see. So I will wait for merging and once it is successful, I download the latest codeql-cli-binary to see if there would be a difference, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants