[Python] : Cors misconfiguration #16989
Conversation
| /** | ||
| * Holds if `header` sets `Access-Control-Allow-Credentials` to `true`. | ||
| */ | ||
| private predicate setsAllowCredentials(HeaderDeclaration header) { |
There was a problem hiding this comment.
The HeaderDeclaration concept has recently been removed from the experimental library, with its functionality and modelling being provided by the Http::Server::ResponseHeaderWrite concept from the main library (semmle.python.Concepts) instead. Uses here will need to be replaced with that concept in order for this query to compile on main.
|
|
||
| override predicate isSink(DataFlow::Node sink) { | ||
| exists(Compare cmp, Expr left, Expr right, Cmpop cmpop | | ||
| cmpop.getSymbol() = ["==", "in", "is not", "!="] and |
There was a problem hiding this comment.
Is is also intended to be a possible comparison operator here?
Or if in is intended to be checked, should not in also be checked?
| /** | ||
| * This taintflow2 configuration checks if there is a flow from source node towards CorsProbableCheckAccess methods. | ||
| */ | ||
| class CorsSourceReachesCheckConfig extends TaintTracking2::Configuration { |
There was a problem hiding this comment.
It would be a more complex (and I'd say optional) change, but this second configuration could be expressed as a BarrierGaurd sanitizer instead.
| @@ -0,0 +1 @@ | |||
| | test.py:7:55:7:64 | ControlFlowNode for rfs_header | test.py:5:18:5:24 | ControlFlowNode for request | test.py:7:55:7:64 | ControlFlowNode for rfs_header | CORS header is being set using user controlled value $@. | test.py:5:18:5:24 | ControlFlowNode for request | user-provided value | | |||
There was a problem hiding this comment.
Is the test.qlref file missing here?
| Cross-Origin request. | ||
| </p> | ||
|
|
||
| <sample src="test.py" /> |
There was a problem hiding this comment.
This example file appears to be missing.
(if the test.py file from the test directory is intended to be used as the example here, it should be copied into this directory).
Additionally, the closing </example> tag appears to be missing.
sidshank
added
the
awaiting-response
No description provided.