Skip to content

JS: add new prototype pollution query and reorganize #4778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
codeql-ci merged 21 commits into from
Dec 11, 2020
Merged

JS: add new prototype pollution query and reorganize #4778

codeql-ci merged 21 commits into from
Dec 11, 2020

Conversation

@asgerf
Copy link
Contributor

@asgerf asgerf commented Dec 4, 2020
edited
Loading

Adds js/prototype-polluting-assignment for flagging property assignments of the form obj[x].prop = value where x may be the user-controlled value __proto__.

Since the property read obj[x] and the assignment base.prop = value can occur arbitrarily far away from each other, we use a flow label to track the value from obj[x] to base.

Currently the new query does not do anything special to account for the constructor.prototype payload, as such sinks are often exploitable by __proto__ as well (the notable exception being when people explicitly guard against __proto__ but not constructor/prototype).

Also reorganizes the prototype pollution queries, moving all to the Security/CWE-915 folder and tagging them with CWE-079, CWE-094, CWE-400, and CWE-915.

Also, the query js/type-confusion-through-parameter-tampering now treats the x in x === "__proto__" as a sink, since it can be bypassed by ["__proto__"], slightly simplifying the sanitizer logic in the new query.

Evaluations: (internal links)

  • Smoke test looks good - acceptable performance for a new query
  • Performance commits alone, based on main, and based on this PR, both show about 60% speed-up for bwip, and neutral performance otherwise, perhaps leaning slightly towards a general speedup.
  • Larger evaluation (re-run of slowest) shows decent performance for a new query, and a good number of new results.

@asgerf asgerf added JS Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish labels Dec 4, 2020
@asgerf asgerf requested review from a team and mchammer01 as code owners December 4, 2020 13:02
erik-krogh
erik-krogh reviewed Dec 7, 2020
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good query, nice results, great performance 👍

Just a few minor comments for now.

asgerf added 17 commits December 7, 2020 10:16
@asgerf asgerf force-pushed the js/more-prototype-pollution branch from 9aae46b to 254ac7f Compare December 7, 2020 10:49
@asgerf asgerf removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Dec 7, 2020
@asgerf
Copy link
Contributor Author

asgerf commented Dec 7, 2020

Thanks for the review!

Evaluation and rerun of slowest look good (internal inks). Added the links to the PR description as well.

@asgerf
Copy link
Contributor Author

asgerf commented Dec 7, 2020

@mchammer01 may I ask you for a doc review?

@mchammer01
Copy link
Contributor

mchammer01 commented Dec 7, 2020

Yes sure, will try to fit this in later today or tomorrow.

mchammer01
mchammer01 reviewed Dec 8, 2020
View reviewed changes
Copy link
Contributor

@mchammer01 mchammer01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@asgerf 👋🏻
This LGTM ✨
There's a tiny typo, and also, I think the CWE should be CWE-078 and not 079 on the new query)
Apart from that, I have made a few minor comments, feel free to ignore them if you don't agree 🙂

asgerf and others added 2 commits December 9, 2020 09:58
@asgerf
JS: Address doc review
fd293d0
@asgerf @mchammer01
Apply suggestions from code review
ed729a1 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
@asgerf
Copy link
Contributor Author

asgerf commented Dec 9, 2020

Thanks for the review @mchammer01, I've addressed the comments.

mchammer01
mchammer01 approved these changes Dec 10, 2020
View reviewed changes
Copy link
Contributor

@mchammer01 mchammer01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing my comments @asgerf ⚡ ✨
This is good to go from a docs point of view 👍🏻

@asgerf
Copy link
Contributor Author

asgerf commented Dec 11, 2020

Just a few minor comments for now.

@erik-krogh any final comments from your end?

erik-krogh
erik-krogh approved these changes Dec 11, 2020
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@erik-krogh any final comments from your end?

Nope. LGTM.

@codeql-ci codeql-ci merged commit 9ff6d68 into github:main Dec 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mchammer01 mchammer01 mchammer01 approved these changes

@erik-krogh erik-krogh erik-krogh approved these changes

Assignees

No one assigned

Labels

documentation JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@asgerf @mchammer01 @erik-krogh @codeql-ci