JavaScript: Add some new XSS sinks and sources of Next.js (and some extra improvements) #747

tyage · 2023-04-24T01:53:22Z

Query PR

github/codeql#10984
github/codeql#12787
github/codeql#12963
github/codeql#12975

Language

JavaScript

CVE(s) ID list

CVE-2022-0087

CWE

CWE-79

Report

What is the vulnerability?
Reflected XSS
How does the vulnerability work?
When a victim visits the URL which contains malicious script, it will be evaluated on victim's browser.
What strategy do you use in your query to find the vulnerability?
I added Next.js router's query and some args in getServerSideProps function, which is commonly used to receive query/path parameter in URL, as sources.
JS: Add Next.js parameters as source codeql#10984
I also added Next.js router's query.push as a sink for XSS.
JS: Add New XSS sink - Next.js router.push/replace codeql#12787
I also made some improvements to enable CodeQL detect when the application require submodule package and useRouter comes from other modules.
JS: Track interfile useRouter codeql#12963
JS: Support sub modules codeql#12975
How have you reduced the number of false positives?
I think we won't see any false positives.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Yes
No

Blog post link

No response

tyage · 2023-04-30T10:49:30Z

here is a database for quicker evaluation

keystone-auth-db.zip

JarLob · 2023-05-15T12:52:07Z

Hi @tyage, which query from the "CWE-79" folder should detect the vulnerability? I have built codeql database from https://github.com/keystonejs/keystone/archive/refs/tags/@keystone-6/[email protected], but it doesn't detect anything.

tyage · 2023-05-15T21:42:57Z

Hi @JarLob , did you tested with #12975 branch?
It is not currently merged.

Xss.ql should detect XSS if it is merged.
https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/Xss.ql

JarLob · 2023-05-15T21:50:16Z

I applied it manually, it is just one function if I didn't miss anything.

tyage · 2023-05-16T11:26:46Z

@JarLob
We need to run npm install and npm run build before creating a database since we can't find a XSS source properly without build.
After that, it can detect the XSS flow.

tyage · 2023-05-16T11:50:02Z

this is how the result looks liked to me.

JarLob · 2023-05-16T16:12:51Z

Thanks, I was able to get the alerts after npm install and npm run build.

JarLob · 2023-05-16T17:30:59Z

Looking at how the CVE was fixed and seeing your query still flags it, do you think it is a false positive or the fix was insufficient?

tyage · 2023-05-17T00:23:12Z

Yes, this is a false positive.
This fix ensures that the query starts from / using a condition router.query.from?.startsWith('/'), but the current XSS query doesn't take care of such custom filters.
I think it is difficult to detect these filters and sanitizers properly since there are so many patterns.

ghsecuritylab · 2023-05-17T08:05:39Z

Your submission is now in status Test run.