Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

library_mono.js triggers apparent false-positive report from GitHub's codeql scan #59147

Closed
SteveSandersonMS opened this issue Sep 15, 2021 · 7 comments · Fixed by #60490
Closed

library_mono.js triggers apparent false-positive report from GitHub's codeql scan #59147

SteveSandersonMS opened this issue Sep 15, 2021 · 7 comments · Fixed by #60490
Assignees
@lewing @pavelsavara
Labels
arch-wasm WebAssembly architecture area-Infrastructure-mono
Milestone
6.0.0

Comments

@SteveSandersonMS
Copy link
Member

SteveSandersonMS commented Sep 15, 2021
edited
Loading

This was originally reported at dotnet/aspnetcore#36529

It seems that if you add GitHub's CodeQL analysis (like this), then you will get a report of a vulnerability like this: https://github.com/damienbod/AspNetCore6Experiments/pull/7/checks?check_run_id=3607015850. Just in case that gets deleted, here's a screenshot:

image

Notice that these are all from dotnet.js (which gets copied and renamed during the build but its contents aren't changed).

On investigation, this seems to map to CodeQL's rule for CWE-134. It gives an example of "bad" code in which user-supplied data becomes part of a format string:

  let user = req.query.user;
  let ip = req.connection.remoteAddress;
  console.log("Unauthorized access attempt by " + user, ip);

I agree that this code is potentially buggy, since if user contained %s, then the ip value would be inserted into the middle of the console output instead of being appended to the end of it. Which would be strange.

I think the closest match to that pattern is here:

runtime/src/mono/wasm/runtime/library_mono.js

Line 1302 in 55622ab

console.log ("Attempting to fetch '" + attemptUrl + "' for", asset.name);

There might be others, but this is the closest one I can find. It's possible that codeql is going to raise an alert for any use of console.log that involves string concatenation instead of %s-style tokens.

Of course, it doesn't seem like this would actually be a vulnerability in a Blazor application, because:

  1. Blazor never runs JavaScript code on the server, and I don't really think user-supplied input could get into this line of code anyway as the list of assets to load (and their URLs) is determined by compile-time code only.
  2. Even if user-supplied input could get here, the fallout seems to be limited to potential "garbled output" in the console, which end users aren't looking at anyway

But it would be good to avoid confusing people and avoid this particular code pattern if it makes CodeQL stop raising an alert. It could probably be fixed by using the format string pattern they cite in the "good" example:

console.log("Unauthorized access attempt by %s", user, ip);

In my opinion this looks like a false alert and I wouldn't suggest it's urgent to work around, but cc @blowdart for info.
@SteveSandersonMS SteveSandersonMS added the arch-wasm WebAssembly architecture label Sep 15, 2021
@ghost
Copy link

ghost commented Sep 15, 2021

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

Issue Details

This was originally reported at dotnet/aspnetcore#36529

It seems that if you add GitHub's CodeQL analysis (like this), then you will get a report of a vulnerability like this: https://github.com/damienbod/AspNetCore6Experiments/pull/7/checks?check_run_id=3607015850. Just in case that gets deleted, here's a screenshot:

image

Notice that these are all from dotnet.js (which gets copied and renamed during the build but its contents aren't changed).

On investigation, this seems to map to CodeQL's rule for CWE-134. It gives an example of "bad" code in which user-supplied data becomes part of a format string:

  let user = req.query.user;
  let ip = req.connection.remoteAddress;
  console.log("Unauthorized access attempt by " + user, ip);

I think the closest match to that pattern is here:

runtime/src/mono/wasm/runtime/library_mono.js

Line 1302 in 55622ab

console.log ("Attempting to fetch '" + attemptUrl + "' for", asset.name);

There might be others, but this is the closest one I can find.

Of course, it doesn't seem like this would actually be a vulnerability in a Blazor application, because Blazor never runs JavaScript code on the server, and I don't really think user-supplied input could get into this line of code anyway as the list of assets to load (and their URLs) is determined by compile-time code only. But it would be good to avoid confusing people and avoid this particular code pattern if it makes CodeQL stop raising an alert. It could probably be fixed by using the format string pattern they cite in the "good" example:

console.log("Unauthorized access attempt by %s", user, ip);

In my opinion this looks like a false alert and I wouldn't suggest it's urgent to work around, but cc @blowdart for info.

Author: SteveSandersonMS
Assignees: -
Labels:

arch-wasm
Milestone: -

@dotnet-issue-labeler
Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged New issue has not been triaged by the area owner label Sep 15, 2021
@SteveSandersonMS SteveSandersonMS mentioned this issue Sep 15, 2021
Closed
@blowdart
Copy link
Contributor

Not ship blocking, but should be addressed before release

@marek-safar marek-safar added this to the 6.0.0 milestone Sep 15, 2021
@marek-safar marek-safar removed the untriaged New issue has not been triaged by the area owner label Sep 15, 2021
@ghost
Copy link

ghost commented Sep 15, 2021

Tagging subscribers to this area: @directhex
See info in area-owners.md if you want to be subscribed.

Issue Details

This was originally reported at dotnet/aspnetcore#36529

It seems that if you add GitHub's CodeQL analysis (like this), then you will get a report of a vulnerability like this: https://github.com/damienbod/AspNetCore6Experiments/pull/7/checks?check_run_id=3607015850. Just in case that gets deleted, here's a screenshot:

image

Notice that these are all from dotnet.js (which gets copied and renamed during the build but its contents aren't changed).

On investigation, this seems to map to CodeQL's rule for CWE-134. It gives an example of "bad" code in which user-supplied data becomes part of a format string:

  let user = req.query.user;
  let ip = req.connection.remoteAddress;
  console.log("Unauthorized access attempt by " + user, ip);

I agree that this code is potentially buggy, since if user contained %s, then the ip value would be inserted into the middle of the console output instead of being appended to the end of it. Which would be strange.

I think the closest match to that pattern is here:

runtime/src/mono/wasm/runtime/library_mono.js

Line 1302 in 55622ab

console.log ("Attempting to fetch '" + attemptUrl + "' for", asset.name);

There might be others, but this is the closest one I can find. It's possible that codeql is going to raise an alert for any use of console.log that involves string concatenation instead of %s-style tokens.

Of course, it doesn't seem like this would actually be a vulnerability in a Blazor application, because:

  1. Blazor never runs JavaScript code on the server, and I don't really think user-supplied input could get into this line of code anyway as the list of assets to load (and their URLs) is determined by compile-time code only.
  2. Even if user-supplied input could get here, the fallout seems to be limited to potential "garbled output" in the console, which end users aren't looking at anyway

But it would be good to avoid confusing people and avoid this particular code pattern if it makes CodeQL stop raising an alert. It could probably be fixed by using the format string pattern they cite in the "good" example:

console.log("Unauthorized access attempt by %s", user, ip);

In my opinion this looks like a false alert and I wouldn't suggest it's urgent to work around, but cc @blowdart for info.

Author: SteveSandersonMS
Assignees: lewing
Labels:

arch-wasm, area-Infrastructure-mono
Milestone: 6.0.0

@ViktorHofer
Copy link
Member

ping @lewing in case this needs to flow into the product.

@lewing lewing mentioned this issue Sep 30, 2021
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Sep 30, 2021
@lewing
Copy link
Member

lewing commented Sep 30, 2021

@SteveSandersonMS I found two cases which appears to match the number of failures per file. I've opened #59839 for net6.

@lewing
Copy link
Member

lewing commented Sep 30, 2021

@pavelsavara we should resolve this in main but I can wait till #59655 lands

@pavelsavara pavelsavara self-assigned this Oct 1, 2021
steveisok pushed a commit that referenced this issue Oct 6, 2021
@lewing
[release/6.0][wasm] Fix codeql checks (#59839)
5e9e865 
Fixes #59147 for release/6.0 a console method is called
with both a concatenated format string and multiple arguments.
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Oct 6, 2021
@pavelsavara pavelsavara mentioned this issue Oct 15, 2021
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Oct 15, 2021
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Oct 16, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Nov 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lewing lewing

@pavelsavara pavelsavara

Labels
arch-wasm WebAssembly architecture area-Infrastructure-mono
Projects
None yet
Milestone
6.0.0
Development

Successfully merging a pull request may close this issue.

[wasm] string interpolation instead of concatenation pavelsavara/runtime
7 participants
@lewing @marek-safar @pavelsavara @blowdart @SteveSandersonMS @ViktorHofer @jeffschwMSFT