Skip to content

JS: improvement to URL-gotcha queries #1178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ghost wants to merge 4 commits into from
Closed

JS: improvement to URL-gotcha queries #1178

ghost wants to merge 4 commits into from

Conversation

@ghost
Copy link

@ghost ghost commented Mar 28, 2019

This PR is a bit of everything for two queries, and can be summarized as doing the following:

  • js/incomplete-hostname-regexp
    • restricts the analysis to small strings and regexes, at no visible cost to the results
    • avoids spuriously sanitizing values that are provided by the programmer
    • decreases overall relative anslysis time to 0.78
  • js/incomplete-url-substring-sanitization
    • uses a Configuration for interprocedural analysis
    • restricts the analysis to small strings, at no visible cost to the results
    • avoids spuriously sanitizing values that are provided by the programmer
    • increases overall relative analysis time to 1.5
    • adds several very interesting new results

Taken together, this results in a decrease of overall relative anslysis time to 0.88. But this is negligible in the context of the security suite.

Backing data (note that another new Configuration query UnanchoredUrlRegExp.ql contribute to these numbers):

I have also sanity checked this on our set of performance-problematic slugs. The picture seems to be the same as above.

Esben Sparre Andreasen added 4 commits March 28, 2019 22:06
JS: introduce SmallStrings.qll
f79f342
JS: make RegExpPatterns::commonTLD more robust
6a42a6c
JS: optimize and fixup js/incomplete-hostname-regexp
c15fc7a 
The controversial bit of this is the change from
`source.getStringValue()` to
`source.asExpr().(SimpleConstantString).getSimpleStringValue()`.
JS: reformulate js/incomplete-url-substring-sanitization
49fd7a1 
- use taint tracking
- restrict string sources to SimpleConstantString
- turn into a path problem
@ghost ghost added the JS label Mar 28, 2019
@ghost ghost self-requested a review as a code owner March 28, 2019 22:39
xiemaisi
xiemaisi suggested changes Mar 29, 2019
View reviewed changes
Copy link

@xiemaisi xiemaisi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor comment. As discussed it would be nice to have a clearer performance evaluation, and it might be worth to experiment with type back-tracking as an alternative to hardcoding (reasonable but essentially arbitrary) length bounds.

javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp

<references>
<li>OWASP: <a href="https://www.owasp.org/index.php/Server_Side_Request_Forgery">SSRF</a></li>
<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions">Regular Expressions</a></li> <li>OWASP: <a href="https://www.owasp.org/index.php/Server_Side_Request_Forgery">SSRF</a></li>
Copy link

@xiemaisi xiemaisi Mar 29, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing linebreak between the two <li>s.

@ghost
Copy link
Author

ghost commented Apr 5, 2019

Replaced by #1211 and another upcoming PR.

@ghost ghost closed this Apr 5, 2019
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xiemaisi